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NOTE:  Guidance  for  Putting  it  into  Practice 

Two  sample  (very  different)  scenarios  for  putting  principles  of 

operational  resilience  into  practice: 

1 .  After  a  major  and  visible  disruptive  event  has  taken  place 
and  you  want  to  apply  concepts  from  his  module  to  deal 
with  it. 

2.  The  there  is  a  (business)  desire  to  put  in  place  a  strategic 
plan  and  program  to  raise  the  bar. 
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Setting  the  Stage 

I 

i  Three  Stories;  Same  Conclusion. 


February  2014  Hacking  of  Forbes,  Inc 


(Phishing  is  popuiar  and  effective) 
(Some  peopie  wiii  never  change) 


Chief  Information  Security  Officer 


Forbes 


p. 


Lewis  DVorkin.  Forbes  Staff 

I  fixate  on  the  intersection  of  digital  journalism  and  social  media. 


BUSINESS  2/ 1 8/2 0 14  @  8 ; 2 SAM  8, 0 0 3  views 


Inside  Forbes:  After  a  Digital 
Attack,  a  Story  of  Recovery  and 
What  It  Means 

Forbes.com  came  under  digital  attack  last  week.  It  began  Tliiirsday  and 
continued  into  Friday.  On  Twitter,  the  S^aian  Electronic.  A’liiy,  supporters  of 
Syiian  President  Bashar  al- Assad,  claimed  responsibility,  just  as  it  did  with 
attacks  on  Facebook,  BBC  News,  Jlw  Washington  Post,  the  Associated 
Press  and  others  (Eckstarter  was  hit  by  still-unidentified  hackers  as  well). 
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“...\Nq  could  have  done  real  damage 
but  we  restrained  ourselves...  We 
only  published  the  database  for  one 
day...  We  were  able  to  delete 
everything  but  we  didn’t:  the  files, 
the  articles,  the  whole  database...” 


Claimant  hacking  organization’s  representative 
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2011 


2014 


July  2011:  University  of  California  Los  Angeles  website  defaced  by  SEA  hacker  'The  Pro”.^^^ 
September  2011:  Harvard  University  website  defaced  in  what  was  called  the  work  of  a  '‘sophia 
April  2012:  The  Syrian  Electronic  Army  took  down  the  official  blog  of  social  media  website  Ij^ 
August  2012:  The  Twitter  account  of  the  Reuters  news  agency  was  hacked  by  the  SEA.  221 
23  April  2013:  The  SEA  hijacked  the  Associated  Press  Twitter  account  and  falsely  claimed  \ 
May  2013:  The  Twitter  account  of  The  Onion  was  compromised  by  the  SEA,  by  phishing  Go 
May  2013:  The  ITV  news  London  Twitter  account  was  hacked  on  the  24th  May  2013  by  the  J 
17  July  2013,  Truecaller  servers  were  allegedly  hacked  into  by  the  Syrian  Electronic  Army.- 
alleged  database  host  ID,  username,  and  password  via  another  tweet. On  18  July  2013,  T* 
23  July  2013:  Viber  servers  were  allegedly  hacked  into  by  SEA  as  well.  The  Viber  support  w^ 
15  August  2013:  Advertising  service  Outbrain  was  hacked  by  the  SEA  via  a  spearphishing  afl 

27  August  2013:  NYTimes.com  has  its  DN^ 

28  August  2013:  Twitter  had  its  DNS  regist 
29-30  August  2013:  The  New  York  Times, 
weapons.  A  self-described  operative  of  the 
we  may  use  methods  of  causing  harm,  bot 
2-3  September  2013,  Pro-Syria  hackers  br 
several  hours  Monday  and  redirected  to  a  s 
30  September  2013:  SEA  hacked  the  webs 
[sic]  about  Syrian  Electronic  Army"  and  "Tl„ 


Phishing  continues  to  be 
effective  and  popuiar  with  the 
ciaimant  hacking  organization 


28  October  2013:  By  gaining  access  to  the  Gmail  account  of  an  Organizing  for  Action  staffa 
9  November  2013:  SEA  hacked  the  website  of  VICE,  which  is  a  no  affiliate  news/documenta? 
12  November  2013:  SEA  hacked  the  Facebook  page  of  Matthew  Van  Dyke,  a  Libyan  Civil  VJ 

I  January  2014:  SEA  hacked  the  official  Facebook  and  Twitter  pages  for  Skype  as  well  as  th< 
Microsoft  sells  user  information  to  the  government. 

II  January  2014:  SEA  hacked  the  @XboxSupport  Twitter  pages  and  directed  tweets  to  the  gr^ 

22  January  2014:  SEA  continued  hacks  on  Microsoft.  Hacking  the  official  Microsoft  Office  Bi  J 

23  January  2014:  SEA  hacked  CNN's  official  Twitter  account  and  posted  two  messages,  inclj 
03  February  2014:  SEA  hacked  the  websites  of  eBay  and  Paypal  UK.  One  source  says  the  1 
06  February  2014:  SEA  hacked  the  DNS  of  Facebook.  Sources  say  the  registrant  contact  detj 
14  February  2014:  SEA  hacked  the  Forbes  website. 

14  February  2014:  Syrian  Electronic  Army  hacked  the  Forbes  official  website  and  their  twitt 


http://en.  Wikipedia.  org/wiki/Syrian_Electronic_Army 
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Some  people  will  never  change 


PASSWORDS  RECOVERED  FROM  FORBES  STAFFERS  AFTER  RECENT  BREACH 


/  forbesl  ' 
Welcomel 
f orbesl23 


forbesl3 


testl23 


^  me  J 

(others) 


TOTAL 


45/524 

14/524 

11/524 

4/524 

3/524 

3/524 

42/524 

122/524 


s.ess 

2.7fe 

2.1fe 


&.62S 

&.6So 


S.0Si 


23. 3% 


http://nakedsecurity.sophos.conn/2014/02/17/forbes-hack-password-shootout-gmail-vs-yahoo-vs-hotmail-vs-aol-whose-users-are-the-smartest/ 
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Environment  that  Forbes  Operates  In 


“...There  are  challenges  and  risks  associated  with  a 
platform  that  supports  a  distributed  workforce  using  a 
distributed  set  of  tools  in  a  social  news  environment...  ” 


“. . .  Certain  consumer  friendly  features,  such  as  social 
log-ons  and  plug-ins  that  enhance  the  news  product, 
carry  their  own  vulnerabilities.  The  rewards  of  innovation 
are  significant. . .  ” 


Lewis  Dvorkin 
Chief  Product  Officer  of  Forbes  Media 
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Sandy’s  Surprises 
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Hurricane  Sandy  -  Basic  Statistics 


Developed 
Dissipated 
Highest  winds 
Lowest  pressure 
Strength 
Size 

Power  Outages 
Fatalities 

Economic  damage 
Nicknames 


October  22,  2012 
October  31, 2012 
115  mph 
940  mbar 

Category  3  hurricane  at  its  peak  intensity 
Winds  spanning  1,100  miles 
Peaked  at  8.2  million  customers  (October  30) 
147  direct  (138  indirect) 

Estimated  to  be  $75  billion 
Superstorm  Sandy;  Frankenstrom 
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Hurricane  Sandy  -  Affected  Regions 


Caribbean 

•  Jamaica 

•  Haiti 

•  Bahamas 

•  Bermuda 

•  Cuba 

United  States 

•  Florida 

•  North  &  South  Carolina 

•  West  Virginia 

•  Virginia 

•  Maryland 

•  Delaware 

•  New  Jersey 

•  New  York 

•  Pennsylvania 

•  New  England  region 

•  Great  Lakes  region 

•  Appalachian  Mountains  region 

Canada 
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Large  hurricane  but  expected...  Flooding 
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Large  but  expected...  Wind  Damage 
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Large  but  expected...  Loss  of  Power 


Typical  Manhattan  evening  view 


October  29,  2012 
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Large  but  expected...  Demand  for  generators 
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18 


Unexpected  -  Failures  of  numerous 


COMPUTERWORLD 


White  Papers  Webcasts  Newsletters 


News 

Hurricane  Sandy:  Backup  generators  fail  at 
major  New  York  hospitals 

Expert  advises  that  diesel  pumps  be  moved  to  higher  ground,  and  that 
data  centers  in  the  cit/  consistently  test  backup  systems 

By  Matt  Hamblen 

November  1 . 2012 02:21  PM  ET  Q  Add  a  comment 

Computerworld  -  Devastation  caused  by  Hurricane  Sandy  forced  at  least  two 
major  hospitals  and  a  data  center  in  lower  Manhattan  to  resort  to  backup 
prs  fueled  by  Diesel  for  r 


COMPUnRWORLD 


White  Papers  Webcasts  Newsletters^ 


News 


Drama  in  NYC  as  data  center  temp  passes 
100  degrees 


Sandy-caused  generator  problems  affect  air  conditioning  at  data  center 
in  Google-owned  carrier  hotel  building 

By  Patrick  Til  ibodeau 

Novem  ber  1 . 20 1 2  03:59  PM  ET  1 B  Co  mm&nts 


V  Logout 
irtSearcti™ 


Friday,  November 2,  2012  As  of  12:31  PM  EOT  undefined.  > undefined® |  undefined® 

IHE  WALL  STREET  JOIMAL 

U.S.  Edition  Home  *  I  CFO  Journal  CIO  Journal  Toda/s  Paper  Video  Blogs  Journal  Community 


Nader  Mehravari 


^  Facliva  SmartSearcti 


See  Whafs  New  in  CIO  Journal  Too 


Home  World  -  U.S.  -  New  York-  Business  -  Tech  -  Markets  -  Market  Data  Opinion  -  Life  S  Culture  -  Real  El 


Knight  Capital  Tells  Customers  to  Route  Away  as  Power  Fail; 

By  MATT  JARZEM3KY 


Knight  Capital  Group  Inc.  (KCG)  told  cu:stomers  to  avoid  routing  stock  orders  to  the 
trading  firm  because  of  what  a  spokeswoman  called  a  '^generator  issue''  at  its  New 
iiarters. 


^ers^^a^^^ai 


...  backup  generators  in 
hospitals  and  data  centers 
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Unexpected  -  Major  Devastating  Fire 
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Unexpected  -  Blizzard 
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Unexpected  -  Acting  like  a  sandstorm 


Seaside  Heights,  NJ  -  Before 


Cape  May,  NJ  -  After 
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Unexpected  -  Petroleum  Shortage 


A  list  of  refineries  impacted  by  Hurricane  Sandy  is  presented  in  the  table  below. 


Refineries  in  the  Path  of  Sandy  as  of  LQOpm  EDT  10/^0/12 

Refiaeiy^ 

Location 

i 

Capadt}^  (BiD) 

Operating^ 

Capacity*^ 

1  Restarting  1 

^ReducocT^ 
^  Rnas  y 

1  Normal 

Hess^ 

Port  Reading,  KJ 

70,000 

X 

Monroe  Energy 

Trainer,  ?A 

IB  5, 000 

X 

PBF 

Delaware  Cih\  DE 

1B2,200 

X 

PBF 

Paulsboro,  N  J 

1^0,000 

X 

Philadelphia  Energ],-  Solutions 
l-Sunoco) 

Philadelphia,  PA 

335,000 

X 

Phillips  66 

Linden,  NJ 

238,000 

X 

TOTAL 

1,170,200 

30S,0flO 

0 

S62,200 

0 

Note:  The  table  does  not  include  asphalt  refineries  or  facditiea  already  closed  in  prior  years. 

*Tlie  Hes&  Port  Reading,  NJ  facility'  does  not  process  crude,  but  processes  gas  oils  to  produce  petroleum  products. 
Sources:  Confirmed  by  company  or  on  company  web  site.  Various  trade  press  sources 
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Unexpected  -  Run  on... 


ATM  Vestibule 


CNN  Mobile  Unit 


...power  strips 


Shelter 
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Nader’s  Briefcase 
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Changes  Since  9/11 


September  11,  2001 


September  11,  2014 


I  was  on  a  business  trip  out  of  town. 

My  briefcase  contained 

•  A  laptop 

•  An  analog  cell  phone 


I  was  on  a  business  trip  out  of  town. 

My  briefcase  contained 

•  11  devices  needing  frequent  charging 

•  Majority  with  some  form  of  wireless  capability 
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Expanding  and  Dynamic  Risk  Environment 


How  has  the  critical  infrastructure  risk  environment  changed 
since  9/1 1 : 


Movement  from  traditional  wireiine 
telephony  to  cell  phones  and 
broadband  cable  telephony. 


Cutting  The  Lifeline 

The  percentage  of  cellphone- 
only  households  is  growing 

40fi  July- Dec.  20U:  34% 


Source:  CDC/NCHS  Survey^  of  136,223 
Koiiseholds  conducted  Jan.  20a8-D^c  2011; 
%%  confident  interval 
Th-e  Wall  Street  Journal 


“...As  of  2003,  153  million 
Americans  lived  in  coastal 
counties  -  an  increase  of 
33  million  since  1980  -  and 
3.7  million  lived  within  a 
few  feet  of  high  tide. . 

“  Bryan  Walsh,  Time  Magazine, 
November  12,2012 


Dependency  on  large  number 
of  mobile  devices  needing 
frequent  re-charging. 


...  and 
there  are 
many  more. 
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Expansion  of  Risk  Environment 


Globaiization 
•  Operationai  complexity 

•  Pervasive  use  of  technology 
•  Intertwining  of  cyber  and  physical  domains 

Increased  role  of  cybersecurity  in  securing  physical  assets 
•  Movement  toward  intangible  assets 

•  Global  economic  pressures 
•  Regulatory  and  legal  boundaries 

Geo-political  pressures 


Successful  management  of  operational  risk  may  require  a 
(significant)  shift  in  thinking  and  approach. 
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Interestingly  enough... 


A  few  weeks 
before  they 
were  hacked? 


i  Forbes ' 


New  Posts 

+9  posts  this  hour 


Popular  Lists 

The  WhztsApp  Billionaire;  The  World's 


BUSINESS  r  1/15/2014  . as :14AM  4,060  views 


Why  Cyber  Security  Is  Not 
Enough:  You  Need  Cyber 
Resilience  - * 


By  Matthew  Goche  and  William  Gouveia 

It’s  true,  cyber  attackers  have  an  edge  on 
you.  Just  look  at  recent  incidents  of  credit 
card  information  being  stolen  from 
Target  and  SnapChat  users’  names  and  cell 
)hone  nuinbaiiis  being  published  onljp 
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Step-By-Step  /  Checklist  /  Roadmap 

□ 

□  Characterize  your  risk  environment 

□ 

□ 


Organizational  Mission 

Why  are  we  having  this  discussion? 


American 
Red  Cross 


“The  American  Red  Cross  prevents  and  alleviates  human 
suffering  in  the  face  of  emergencies  by  mobilizing  the 
power  of  volunteers  and  the  generosity  of  donors.” 


Safe  and 

Health  and 

Disaster  Relief 

Adequate  Blood 

Safety 

Supply 

Education 

o  o  o 
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UNITED  STATES 

POSTAL  SERVICE 


“To  provide  postal  services  to  bind  the  Nation  together ... 
To  provide  prompt,  reliable,  and  efficient  services  to 
patrons  in  all  areas  and  ...  render  postal  services  to  all 
communities.” 


Delivering 

Selling 

Ensuring 

Mail 

Stamps 

Mail  Safety 

Operating  a 
37,000-node 
intranet 


o  o  o 


Chief  Information  Security  Officer 


34 


Contributing  positiveiy  to  the  earth’s  naturai  ecosystem. 


Shade 


Habitat  for 

Climbing 

Birds 

Opportunity 

Beauty 


o  o  o 
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Step-By-Step  /  Checklist  /  Roadmap . 

□ 

□  Identify  your  critical  products  and  services  (Why  do  you 
exist?) 

□  Characterize  your  risk  environment 

□ 

□ 


Operational  Stress 


March  2011 


Q  RECJ 
^  TWira 
ng  LINKEI 


{The  U)a$l)injiton|)o$t 


Politics  Opiiiions  Loc^al  Sports  National  World  Business  Tech 


Posted  at  04:46  PM  ET,  07/26/2011 

Cyber  attack  on  RSA  cost  EMC  $66  million 

By  Havlev  Tsukavama 


Sljc  y  ork  (States 


In  its  earnings  call  Tuesday,  EMC 
disclosed  that  it  spent  $66  miilion 
in  its  second  quarter  to  deal  with  a  ’ 
cyber  attack  that  compromised  its 
jA^curjtwdhJsl] 


WORLD  U.S.  W.Y.  /  EEGION  BUSINESS  TECHNOLOGY  SCIENCE  HEALTH  SPORTS, 

Data  Breach  at  Security  Firm  Linked  to  Attack  on 
Lockheed 

By  CHRISTOPHER  DREW  and  JOHN  MARKOFF 
Published;  May  27,  2011 

Lockheed  Martin,  the  nation's  largest  mditaiy  contractor,  has  battled 
disruptions  in  its  computer  netw’orks  this  week  that  might  be  tied  to  a 
hacking  attack  on  a  vendor  that  supplies  coded  security  tokens  to 

Fjidty- 


Affecting  Customer  and  Supplier 


January  2012 


iQeIs] 


GEAR  SCIENCE  ENTERTAINMENT  BUSINESS  SECURITY  DESIGN  OPEN! 


Hackers  Breached  Railway  Network,  Disrupted 
Service 


BYKIMZETTER  01.24J2  I  11:15  AM  PERMALIMK 


MANIPULATED  RAILWAY 
COMPUTERS,  TSA  MEMO  SAYS 


Lenny  Ignelzi/AP  File 

This  story  has  been  updated  with  new' 
information  from  the  railroad  industry  and  to 
dearly  state  the  industry's  contention  that  the 
TSA  memo  ivas  inaccurate. 

Hackers,  possibly  from  abroad,  executed  an 
attack  on  a  Northwest  rail  company's 

iputeK  tha^iiaujpted  railway  sionalaJor, 


Saturday,  February  4,  2012  New  York  ^^S9^!74® 

THE  WALL  STREET  JOURNAL 

PROFESSIONAL  WITH  FACTIVA 


U.S.  Edition  Home 


CFO  Journal  CIO  Journal  Today's  Paper  Video  Blogs  Journal  Community 


Porsonal  Financo 


World  - 

U.S.  T 

New  York  * 

Business  * 

Markets  - 

Tech 

Digits  Personal  Tech  no  logy  What  They  Know 


TECHNOLOGY  |  February  4,  2012 


Micron  Chief  Dies  in  Crash 

Steve  Appleton  Loved  FastJets^  Cars;  Td  Rather  Die  Living  Than  Die  Dying' 


Article 


Stock  Quotes 


Comments  {122) 


BySHARA  TIBKEN  and  DON  CLARK 


MU  0.00% 


Steven  R.  Appleton,  chairman  and  chief  executive  of  Micron  Technoloav  Inc. _ 

and  one  of  the  most  prominent  figures  in  the  semiconductor  industry,  died  Friday  when 
the  high-performance  airplane  he  was  piloting  crashed  at  Boise,  Idaho's  airport. 

The  death  of  the  51 -year-old  stunned  Micron,  the  well-known  maker  of  memory  chips 
based  in  the  same  city,  and  comes  at  a  time  of  rapid  change  for  the  company  and  its 
industry. 


The  National  Transportation  Safety  Board 
is  investigating  the  accident,  which 
happened  soon  after  Mr.  Appleton  took 
off  alone  in  a  single-engine  Lancair.  The 
plane,  from  a  maker  of  aircraft  kits,  had 
taken  off  and  landed  once  antkwas 


Feb.  2012 

J^icron 

MICRON  TECHNOLOGY,  INC. 


Unavailability  Vital  Staff 


April  2012 


and  expect  that  the  works  to  fully  repair 
the  plant  will  take  at  least  three 
months,"  an  Evonik  spokeswoman  said. 
Several  Evonik  executives  attended  the 
meeting  on  Tuesday. 
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Nylon-12  Hamits  Car  Makers 

Explosion  at  Big  Supplier  of  Resin  jbr  Automotive  Parts  Has  Indus 
Shortages 


Article 


stock  Quotes 


Comments  (9) 


By  JEFF  BENNETT  And  JAN  HROMADKO 

Production  shortfalls  at  a  single  German  auto-parts  supplier  are  beginnini 
through  the  global  auto  business. 


Chemical  plant  explosion  brakes 
car  makers 

The  explosion  ot  o  Germon  chemicals  plant  two  weeks  ago  which  kil 
two  workers,  has  thrown  the  global  car  industry  into  turmoil  as 
manufacturers  run  short  of  a  vital  component,  prompting  an  emergency 
meeting  in  Detroit. 


More  than  200  auto  executives  met  in  a  Detroit  suburb  on  Tuesday  to  evaluate  a 
looming  shortage  of  a  relatively  obscure  resin  essential  to  modern  auto  production. 


Inventories  of  the  resin  are  being  depleted  af" 
Industries  AG  plant  in  Marl,  Germany,  that  k 
itself  as  the  only  integrated  maker  of  the  res 
lines. 


WHAT  ‘OBSCURE’  BUT  ESSENTIAL  COMPOUND  SHORTAGE 
HAS  THE  AUTO  INDUSTRY  WORRIED  ABOUT  PRODUCTION? 


Supply  Chain  Failures 
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Saudi  Aramco  hit  by  computer  virus 

World’s  largest  oil  company  says  its  operations  have  not  beenj 
affected  as  hackers  claim  responsibility  for  attack 

Charles  Arthur 

guardian.co.uk,  Thursday  16  August2012  17.34  EOT 
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Destructive  attack  (wiper  virus) 
and  DDOS  at  the  same  time 
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Aramco  Says  Cyberattack  Was  Aimed  at  Production 


By  REUTERS 

Published:  Decembers,  2012 

JEDDAH Saudi  Arabiai  (Reuters)  —  Saudi  Arabian's  national  oil 
company,  Aramco^  said  on  Sunday  that  a  cyberattack  against  it  in 
August  that  damaged  some  30^000  computers  was  aimed  at  stopping 
oil  and  gas  production  in  Saudi  Arabia,  the  biggest  exporter  in  the 
Organization  of  the  Petroleum  Exporting  Countries. 


By  JOHN  ANNESE 
andJILLIAN  JORGENSEN 
STATEN  ISLAND  ADVAHCC 


Tracking  the  storm 

The  worst  of  the  powerful 
The  city  is  in  a  virtual  hurricane  is  expected 
lockdown  as  a  storm  of  un-  Monday  night  into  Tuesday 
precedented  character 

slammed  inm  die  Ea&t  Coast,  HosoiM  evxuatvL  a.  ^ 


Natural  Disasters  Affecting  Critical  Infrastructure 
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Are  the  ongoing  DDoS  attacks  against  U.S.  banks 
just  the  calm  before  the  storm? 


byAvivah  Litan  |  March  14,2013  |  1  Comment 

That's  a  viable  hypotheses  after  hearing  that  the  attackers  only  used  one  thir 
they  had  staged  for  their  latest  round  of  attacks  against  U..S.  banks  last  Tue 
Tuesday  the  total  size  of  the  DDoS  attack  was  190  gigabits  at  one  time,  witf 
against  a  single  bank  at  110  gigabits. 


Interestingly,  the  attackers  could  have  easily  done  even  more  damage  but  th( 
9200  bots  were  identified  as  attack-capable  but  the  total  number  of  bots  actu 
sending  the  DDoS  traffic  to  the  banks  numbered  only  about  3200.  The  other 
doing  nothing. 
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DDoS  Attacks  on  U.S.  Banks:  Worst  Yet  to  Come? 

February  19, 2013, 12:01am 

Evidence  cuggesls  the  purpose  of  the  DDoS  aUacks  cametf  OLr^  againsf  U.S.  banks  lasf  fail 
may  have  been  testing  financiai  services  companies  '  security  capabilities,  whereas  the  intent 
those  launched  in  December  2012  and  January  2013  appears  to  have  been  to  simply  cause 


DDoS:  Lessons  from  Phase  2  Attacks 

Dual-Pronged  Attacks  Necessitate  Stronger  App  Management 


By  Tracy  Kitler 


April  16,  2013 
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Assault  on  California  Power  Station  Raises  Alarm  on  Potential  foit 
Terrorism  J 

April  Sniper  Attack  Knocked  Out  Substation,  Raises  Concern  for  Country's  Power  Grid  ^ 


By  REBECCA  SMITH  connect 
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False  AP  Twitter  Message  Sparks  Stock-Market  Selloff 

BySHIRA  OVIDE 


The  Associated  Press  said  Tuesday  its  Twitter  account  was  compromised,  resulting 
in  a  false  message  on  the  service  that  explosions  in  the  White  House  had  injured 
President  Barack  Obama.  The  message  briefly  sparked  selloff  on  U.S.  stock  markets. 


'The  Twitter  account  has  been  hacked,”  the  A^aid  in  a  statement  Tues^ 
tweet  about  an  attack  on  the  White  House  is  false." 


Other  Twitter  accounts  associated  with  Associated  Press  were  quick  to  < 
false  Twitter  message,  which  was  posted  just  after  1  p.m.  Eastern  time, 
afterward,  the  news  organization's  main  Twitter  account  was  suspended 


Operational  Stress  on  Financial  Markets  (&  White  House) 


British  da*lv  newspaper  The  Guardian 
reveaJs  thie  leak  of  classified  National 
Security  Agency  {NSA)  documents,  be¬ 
ginning  with  an  order  from  the  Fcneign 
htellugence  Surveil  lance  Court  tFISC) 
requiring  Verizon  to  hand  over  metadata 
ffom  mttijgns  of  Americans'  phone  calls 
to  the  Federal  Bureau  of  Irwestigation 
JLFBO  ar>cyhe  NSA. 


News  y  World  news  ^  Edward  Snowden 


June  5,  2013 


Snowden  used  simple  technology  to 
mine  NSA  computer  networks 


Press  report  says  whistleblower  used  webcrawier'  software 
Revelation  raises  new  doubts  about  failure  to  detect  activities 


•une 


Guardian 
announces  leak 
of  classified 
NSA  documents 


theguardian 


Insider  Threat 


SCIENTIFIC 

AMERICAN 


Sign  In  /  Register 

Search  5cienfTyicAmerican.com 


June 

2013 


Health  ::  News  ::  June  25^2013  ::  ^  5  Comments  ::  ^  - Email  ::  ^  Print 


A  New  Cyber  Concern:  Hack  Attacks 
on  Medical  Devices 

The  FDA  issues  guidelines  to  manufacturers  to  protect  their  products 

By  Dina  Fine  Maron 

Computer  viruses  do  not  discriminate. 

Malware  prowling  the  cybersphere  for  bank 
information  and  passwords  does  not 
distinguish  bettveen 
hospital  machine  del 
patient.  Even  if  a  rad 
say,  is  infiltrated  uni 
could  theoretically  c£ 
spike. 


THE  WALL  STREET  JOURNAL. 


U.S.  EDmOH^ 


Home  World 


Thursday,  June  13.  2013  As  of  7:33  PM  EOT 


y.s. 


Business  T  TectiT  Markets  ▼  Market  Data  Your  Moneys  Opinion  ▼  Life  Si  ^ 


U  .S.  N  EWS  I  J  u  n  e  1 3.  20 1 3,  7:33  p.  m.  ET 


Patients  Put  at  Risk  By  Computer  Viruses 

By  CHRISTOPHER  WEAVER 

The  Food  and  Drug  Administration  is  warning  makers  of  heart  monitors, 
mammogram  machines  and  myriad  other  medical  devices  that  their  gear  is  at  risk  of 
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Target  Hit  by  Credit-Card  Breach 

Customers'  Info  May  Have  Been  Stolen  Over  Black  Friday  Weekend 

By  ROBIN  SIDEL,  DANNY  YADRON  and  SARA  GERMANO  CONNECT 
Updated  Dec.  19.  2013  7:29  a.m.  ET 

Target  Corp.  [TGT  -2.24°^  was  hit  by  an  extensive  theft  of  its  customers'  credit-card  and 
debit-card  data  over  the  busy  Black  Friday  weekend,  people  familiar  with  the  matter 
said,  in  what  appears  to  be  a  brazen  breach  of 


The  theft  was  nationalin  scope  and  happened 


Reviews  News  Download  CNETTV  How  To  Dealt 


c|net 


Target  hack  strips  banks  and 
credit  unions  of  $200iVi 


BUSINESS 


Target  Now  Says  70  Million  People  Hit  in  Data  Breach 

Neiman  Marcus  Also  Says  Its  Customer  Data.  Was  Hacked 

By  PAUL  ZIOBRO  And  DANNY  YADRON  CONNECT 


February  11, 2014 
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Hacked  X-Rays  Could  Slip  Guns  Past  Airport 
Security 

BY  KIM  ZETTER  02.11.14  6:30  AM 


PUNTA  CANA,  Dominican  Republic  —  Could  a  threat-simulation  feature  found  in  airportj 
around  the  countfy  be  subverted  to  mask  weapons  or  other  contraband  hidden  in  a  tra^ 


The  answer  is  yes,  according  to  two  security  researchers  with  a  history  of  discovering 
systems,  who  purchased  their  own  x-ray  control  machine  online  and  spent  months  anal 
workings. 


The  researchers,  Billy  Rios  and  Terry  McCorkle,  say  the  so-called  Threat  Image  Proje 
.  so  medavAackfire . 


Intertwining  of  Physical  and  Cyber  World 
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Massive  OpenSSL  Bug  ’Heartbleed'  Threatens  Sensitive  Data 


Common  Web  Security  Tool  Is  Flawed,  Researchers  Say 

By  DANNY  YADRON  connect 
Updated  April  B.  20147:29  p.m.  ET 


An  encryption  tool  used  by  a  large  chunk  of  the  Internet  is  flawed,  pot 
reams  of  data  meant  to  be  hidden  from  prying  eyes 

The  bug,  nicknamed  Heartbleed  by  researchers  at  Google  Inc.  and  q 
Codenomicon,  could  have  affected  two-thirds  of  active  websites  wher 
Monday,  they  Sj 
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The  Morning  Download:  How 
Businesses  Are  Coping  With 
Heartbleed  ‘Catastrophe’ 


Canada  Llalts  Online  Tax-Filing  Services 

'Heartbleed’  Bug  Could  Expose  Masses  of  Personal  Information;  Service 

By  PAUL  VIEIRA  CONNECT 
April  9,  20144:53  p.m.  ET 

OTTAWA — Canada  shut  down  its  online  tax-filing  services  just  weeks  before  millions 
of  Canadians  must  file  their  tax  returns,  citing  the  emergence  of  a  computer  bug  that  ^ 
could  expose  masses  of  critical  personal  informatic 
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Hacker  says  to  show  passenger  jets  at 
risk  of  cyber  attack 

BY  JIM  FINKLE 

BOSTON  I  Mon  Aug  4,  2014  5;39pm  1ST 

(Reuters)  -  Cjher  security  researcher  Ruben  Santamarta  says  he  has  figured  out  how  to  hacj^ 
the  satellite  communications  equipment  on  passenger  jets  through  their  WiFi  and  inflight 
entertainment  systems  -  a  claim  that,  if  confirmed,  could  prompt  a  review  of  aircraft 
security. 

Santamarta,  a  consultant  "with  cyber  security  firm  lOActive,  is  scheduled  to  lay  out  the 
technical  details  of  his  research  at  this  week's  Black  Hat  hacking  conference  in  Las  Vegas, 
annual  convention  where  thousands  of  hackers  and  security  experts  meet  to  discuss 
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tr  threats  and  improye  security  measures. 


Stress  on  Traveling  Public,  Air  Carriers,  TSA, ... 
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'Bash'  command  flaw  leaves  Linux,  OS  X 
and  more  open  to  attack 

by  Jon  Fingas  |  @jonfingas  |  September  24th  2014  at  9:02  pm 
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By  NJCQLE  PERLROTI 

;  Rush  to  Fix  Shellshock  Software  Bug  as 
iunch  Thousands  of  Attacks  , 

4  SEPTEMBER  26,  2014  3:35  PM  ^  31  Comments  J 

Step-By-Step  /  Checklist  /  Roadmap . 

□ 

□  Identify  your  critical  products  and  services  (Why  do  you 
exist?) 

□  What  dose  operational  stress  mean  to  you? 

□  Characterize  your  risk  environment 

□ 

□ 


EXAMPLE: 

Operational  Stress  for  USPS  -  White  Powder 


Operational  Risk:  Safety  &  Availability  of  People  Assets 


EXAMPLE  : 

Operational  Stress  for  USPS  -  Bad  Postage 


Short  pay 

Reused 

Photoshopped 

Counterfeit 

Photocopied 


Operational  Risk:  Operational  Inefficiencies;  Revenue  Assurance 
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Ever-Increasing  Capability  &  Complexity 
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Geographic  Boundaries  Disappear  in  Cyberspace 


OSSO  Information  Security  Officer 
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Attack  Sophistication  vs.  Intruder  Technicai  Knowiedge 
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Attack  Sophistication 


Where  was  the  information  stored? 
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Who  had  control  over  the  information? 
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Who  valued  the  information? 
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Who  created  the  information? 
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Step-By-Step  /  Checklist  /  Roadmap . 

□ 

□  Identify  your  critical  products  and  services  (Why  do  you 
exist?) 

□  What  dose  operational  stress  mean  to  you? 

□  Internal  environmental  scan  (What  has  changed  internally?) 

□  External  environmental  scan  (What  has  changed 
externally?) 

□  Characterize  your  risk  environment 

□ 

□ 


Operational  Resilience 


l3s 

1^ 

Risk  &  Resilience 


Enterprise  Risk  Management 

Operational  Risk  Management 

Hurdles  to  effective  operational  risk  management 
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risk  noun  [risk] 


The  possibility  of  suffering  harm  or  loss 
Exposure  to  the  chance  of  injury  or  loss 
A  source  of  danger 

The  possibility  of  suffering  a  harmful  event 
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'  l*Ut  . 
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1 .  An  event  or  condition 

1 — - / 

RISK 

2.  A  consequence  or  impact  from  the  condition 

1 — - ! - ! - J 

3.  An  uncertainty 

V 
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Enterprise  Risk  Management 


Looks  across  all  types  of  risk  activities  in  the  organization  and 
considers  all  types  of  risks 

Connects  risk  management  to  strategic  and  business  drivers 
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Operational  Risk 


A  form  of  risk  affecting  day-to- 
day  business  operations 

A  very  broad  risk  category 

•  from  high-frequency  low-impact 
to  low-frequency  high-impact 

Exacerbated  by 

•  actions  of  people 

•  systems  and  technology  failures 

•  failed  internal  processes 

•  external  events 
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Enterprise  Risk  Management 
(ERM) 


Operational 

Risk 

Management 


Actions  of  People 


Inadvertent  or  deliberate 

Direct  or  indirect 

Mistakes,  errors,  omissions 

Deliberate  actions  such  as  insider 
threat,  sabotage,  fraud 

Lack  of  skills  or  knowledge 

Lack  of  availability 

Poor  leadership  or  guidance 

Poor  governance 

Lack  of  training  &  education 

Etc.,  Etc.,  Etc... 
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Systems  and  Technology  Failures 


Lack  of  proper  system 
maintenance 

Poor  configuration  and  change 
management 

Insecure,  inefficient,  or  complex 
coding 

Lack  of  testing  and  remediation 

Poor  software  and  systems 
engineering  practices 

Interface  failures 

Inadequate  testing  in  relevant 
operational  environments 

Etc.,  Etc.,  Etc... 


Chief  Information  Security  Officer 


75 


Failed  Internal  Processes 


Poor  process  design  and 
execution 

Mistakes,  errors,  omissions 

Poor  supply  chain  management 

Poor  product  development 

Poor  capacity  planning 

Lack  of  process  controls 

Poor  support  processes  (e.g., 
accounting,  HR,  education  & 
training,  risk  management) 

Poor  governance  and  compliance 

Etc.,  Etc.,  Etc... 
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Failed  Internal  Processes 
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Microsoft  lapse 
outages  in  Azure 


1  Comment  11  Shanes 


66  Tweets 
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red w o HD,  wftgH.  Microsoft  UQwittinglylet  an  ooline  security  certificate  expire 

Friday.,  triggering  a  w’orldviide  outage  in  an  online  service  that  stores  data  for  a  wide 
range  of  business  customers. 

The  slopp>'  housekeeping  represents  an  embarrassing  lapse  for  Microsoft  Corp.  as 
the  sofrivare  maker  tries  to  bring  in  more  rm^enue  from  the  storage  service^  which  is 
called  Azure. 

The  expired  certificate  is  needed  to  properly  run  online  services  such  as  Azure  w’hieh 
use  an  "https"  protocol  to  block  unauthorized  users  from  accessing  information. 
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External  Events 


Natural  disasters  (e.g.,  hurricane, 
earthquake,  flood,  disease, 
volcano) 

Terrorism 

Supply  chain  faiiures 
Boycotts 

Economic  pressures 
Political  pressures 
Outsourcing 
Business  cycies 
Wars 

Etc.,  Etc.,  Etc... 
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Why  do  operational  risks  matter? 

Trust  and  confidence  of  employees  and  customers 
Reputation  and  image 

Regulatory  compliance,  fines,  and  legal  penalties 

Customer  retention  and  growth 

Life,  safety,  and  health  of  customers  and  employees 

Productivity  and  profitability 

Organizational  survival 


...  because  they  have  explicit  and  direct  IMPACT 
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Step-By-Step  /  Checklist  /  Roadmap 


□ 

□  Identify  your  critical  products  and  services  (Why  do  you 
exist?) 

□  What  dose  operational  stress  mean  to  you? 

□  Internal  environmental  scan  (What  has  changed  internally?) 

□  External  environmental  scan  (What  has  changed 
externally?) 

□  Characterize  your  risk  environment 

□  What  are  your  operational  risks?  Who  will  be  affected  if 
there  are  realized? 


Concept  of  Resilience 

& 

Operational  Resilience 
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A  Tree  under  Operational  Stress 


...while  achieving 
its  “business”  mission 
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re-sil-ience  noun  [n- zll-yans] 


power  or  ability  to  return  to  the  original  form, 
position,  etc.  after  being  bent,  compressed, 
or  stretched 


ability  of  an  ecosystem  to  return  to 
its  original  state  after  being 
disturbed 


ability  to  recover  readily  from  illness, 
depression,  adversity,  or  the  like 


capability  of  a  strained  body  to 
recover  its  size  and  shape  after 
deformation 


physical  property  of  a 
material  that  can  return  to  its 
original  shape  or  position 
after  deformation  that  does 
not  exceed  its  elastic  limit 


ability  to  recover  from 
or  adjust  easily  to 
misfortune  or  change 


ability  to  provide  and 
maintain  an  acceptable 
level  of  service  in  the  face 
of  faults  and  challenges  to 
normal  operation 
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Operational  Resilience 


The  emergent  property  of  an  entity 


•  that  can  continue  to  carry  out  its 
mission  in  the  presence  of 
operational  stress  and  disruption 
that  does  not  exceed  its  limit 


•  to  meet  its  mission  under  times  of 
disruption  or  stress  and  return  to 
normalcy  when  the  disruption  or 
stress  is  eliminated 
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Operational  Resilience 


The  emergent  property  of  arl^nti^ 

•  that  can  continue  to  carry  out  its 
mission  in  the  presence  of 
operational  stress  and  disruption 
that  does  not  exceed  its  limit 


•  to  meet  its  mission  under  times  of 
disruption  or  stress  and  return  to 
normalcy  when  the  disruption  or 
stress  is  eliminated 
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Nation 

Armed  Forces 

Critical  Infrastructure 

System 

Network 

Supply  Chain 

Community 

An  Ecosystem 

Cyberspace 
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An  Analogy:  Health 


Is  there  a  place  that  you  can 
purchase  health? 


Is  there  a  place  where  health  is 
manufactured? 


How  do  you  become  healthy? 


Health  &  Resilience:  They  are  both  emergent  properties. 


Chief  Information  Security  Officer 


87 


Operational  resilience  and  operational  risk 


Operational  resilience  emerges  from  effective  operational 
risk  management 

Operational  risk  categories: 


Actions  of 
people 


It  fatal  exception 
0000S9F8.  The 

^  Pi*ess  ant|  ket;  t< 
Pi^ess  CfPL+ALT+1 
lose  any  unsaoet 


Systems 

and 

technology 

failures 


jr  - 

/f 


Failed 

internal 

processes 


External 

events 
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What  makes  an  entity  operationally 
resilient? 


Operational 
Resilience  is  an 
emergent 
property; 

It  emerges  from 
things  that  we  do, 
like  these: 


intification  and  mitigation  of  risks  to 
irvice  and  related  assets 


ntinuity  processes  and 


Se.  V 
planri.  \ 


Manageniv  x  operations  practices 

Management  a  ‘vx  '^loyment  of  people 

Practices  to  protect  'o  ol)  and  secure 
important  information  "^hnology 
assets 

Management  of  external  parti .  '■>at 

provide  parts  of  the  service) 


Environmental  management  (where  i. 
service  “lives”) 
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Operational  Resilience  Management 


It  is  the  overarching  (risk  management)  practice  of  planning, 
developing,  integrating,  executing,  and  governing  activities  to 
ensure  that  an  entity  and  the  environment  that  it  operates  in 
are  able  to: 


•  Identify  and  mitigate  operational  risks  that  can  iead  to  system 
disruptions  before  they  occur, 

•  Prepare  for  and  respond  to  disruptive  events  (naturai  or  man-made, 
accidentai  or  intentional)  in  a  manner  that  demonstrates  command 
and  control  of  incident  response,  and 

•  Recover  and  restore  mission-critical  operations  following  a 
disruptive  event  within  acceptable  time  frames. 
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Hurdles  to  Effective  Operational  Resilience  Management 


Vague  and  abstract  nature 
Compartmentalization 
Technology  focus 
Practice  proliferation 
Insufficient  funding 
Insufficient  success  metrics 
Discrete  nature  of  activity 
(Over)reliance  on  people 
Regulatory  climate 
Head-in-the-sand 
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Multiplicity  of  Preparedness  Planning 
Efforts 
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Another  Analogy 


- 1 


Information 

Security 


Business 

Continuity 


The  Enterprise 


Management  i 
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Step-By-Step  /  Checklist  /  Roadmap 


a 

□  Identify  your  critical  products  and  services  (Why  do  you  exist?) 

□  What  dose  operational  stress  mean  to  you? 

□  Internal  environmental  scan  (What  has  changed  internally?) 

□  External  environmental  scan  (What  has  changed  externally?) 

□  Characterize  your  risk  environment. 

□  What  are  your  operational  risks?  Who  will  be  affected  if  there  are 
realized? 

□  What  hurdles  do  you  face  to  effective  operational  resilience 
management? 


Cornerstones  of 


Operational  Resilience 


■  ■ 


.  ??v  <  ‘- 


’  y'fe  •' 

-:l  j 


Cornerstones  of  Operational  Resilience 


■  Risk  Management 

•  Operational  Risk  Management 

■  Convergence 

■  Organizational  Construct  for  Resilience 
Activities 

■  Protection  and  Sustainment  Activities 

■  Lifecycle  View 

■  Institutionalization 
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Operational  Risk  Management 


A  form  of  risk  affecting  day-to-day 
business  operations 

A  very  broad  risk  category 

•  From  high-frequency  low-impact 
to  low-frequency  high-impact 

Exacerbated  by 

•  Actions  of  people 

•  Systems  and  technology  failures 

•  Failed  internal  processes 

•  External  events 


Operational  resilience  emerges  from  effective 
management  of  operational  risk. 
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Cornerstones  of  Operational  Resilience 


^  Risk  Management 

•  Operational  Risk  Management 

■  Convergence 

■  Organizational  Construct  for  Resilience 
Activities 

■  Protection  and  Sustainment  Activities 

■  Lifecycle  View 

■  Institutionalization 
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Convergence 


Enterprise  Risk  Management 
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♦>  ♦>  ♦>  ♦>  ♦>  ♦>  ♦> 


Benefits  of  Convergence  and  Integration 


Similar  activities  are  bound  by  same  risk  drivers 

Allows  for  better  alignment  between  risk-based  activities 
and  organizational  risk  tolerances  and  appetite 

Eliminates  redundant  activities  (and  associated  costs) 

Forces  collaboration  between  activities  that  have  similar 
objectives 

Enforces  a  mission  focus 

Facilitates  a  process  that  is  owned  across  the  organization 

Influences  how  operational  risk  and  resilience  management 
work  is  planned,  executed,  and  managed 
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Multiplicity  of  Preparedness  Planning  Efforts 


Continuity  of  Operation 
(COOP) 


Business 

Continuity 


Physical  Security 


Cyber  Protection 


Preparedness 

Planning 


IT  Disaster  Recovery 


Supply  Chain 
Continuity 


Crisis  Communications 


Emergency 

Management 


Crisis 

Management 


IT  Operations 


Risk 

Management 


Operational  Risk 
Management 
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An  Analogy 


Chief 

Information 

Security 

Officer 


Chief  Information  Security  Officer 


Human 

Resources 

Department 


Corporate 

Communications 


Corporate 

Security 


I 

I 

I 

I 
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Another  Analogy 


- 1 


Information 

Security 


Business 

Continuity 


The  Enterprise 


Management  i 
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Desired  Solution  Approach 


Business 

Continuity 


Disaster 

Recovery 


Workforce 

Continuity 


Crisis  \ 
ommunicatioo 


Supply 

Chain 

Continuity 


Crisis 

Management 


Information 
\  Security 


Operations 


Operational 

Resilience 


Physical 

Security 


Emergency 

Management 
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Desired  Solution  Approach:  An  Analogy 
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Enemies  of  convergence 


Organizational  structures 

Traditional  funding  models 

Overuse  and  misuse  of  codes  of  practice 

Unclear  or  poorly  defined  and  communicated  risk  drivers 

Unclear  or  poorly  defined  enterprise  objectives,  strategic 
objectives,  and  critical  success  factors 

Lack  of  supporting  process-orientation  and  definition 

Lack  of  sponsorship  and  governance  for  the  process 

Lack  of  a  risk-aware  culture 
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Step-By-Step  /  Checklist  /  Roadmap 


□  Identify  your  critical  products  and  services  (Why  do  you  exist?) 

□  What  dose  operational  stress  mean  to  you? 

□  Internal  environmental  scan  (What  has  changed  internally?) 

□  External  environmental  scan  (What  has  changed  externally?) 

□  Characterize  your  risk  environment. 

□  What  are  your  operational  risks?  Who  will  be  affected  if  there  are 
realized? 

□  What  hurdles  do  you  face  to  effective  operational  resilience 
management? 

□  What  operational  risk  management  activates  (silos)  exist?  Are 
there  opportunities  for  convergence  of  some  sort?  Where  would 
you  start? 


Cornerstones  of  Operational  Resilience 


^  Risk  Management 

•  Operational  Risk  Management 

^  Convergence 

■  Organizational  Construct  for  Resilience 
Activities 

■  Protection  and  Sustainment  Activities 

■  Lifecycle  View 

■  Institutionalization 
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Services  and  Products 


O) 

CD 

i 

O 

0 

O 

"0 

o 

Q. 

C 

o 


Organization 

Mission 


j 


Outputs  of  an  organization 

can  be  internally  or  externally  focused. 

Collectively  they  enable  an  organization’s  mission. 
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Productive  Activities  or  Business  Processes 


(J) 

CD 

i 

o 

CD 

O 

"0 

o 

Q. 

C 

o 


^  Productive  ^ 
Activity  or 
Business 
Process 

I  A  J 


^  Productive  ^ 
Activity  or 
Business 
Process 


^  Productive  ^ 
Activity  or 
Business 
Process 

V  ^  J 


^  Productive  ^ 
Activity  or 
Business 
Process 

I  D  J 


Organization 

Mission 


j 


Activities  that  the  organization  (and/or  its  suppliers)  perform  to 
ensure  that  services  and  products  are  generated 

A  service  or  product  is  made  up  of  one  or  more  business  processes. 
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Assets 


Something  of  value  to  the  organization 

Asset  value  relates  to  the  importance  of  the  asset  in  meeting  the 
service  mission. 
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Asset  Types  of  Importance  to  Operational 
Resilience 
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Asset  Types 


Something  of  value  to  the  organization 

Asset  value  relates  to  the  importance  of  the  asset  in  meeting  the 
service  mission. 
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Exercise  -  Steps  1  &  2 


© 


Service  Name: 


Inpatient  Care 


Service  Mission: 

Provide  continuous  care  to 
patients  in  hospital 


© 


Asset  1: 

Asset  2: 

Asset  3: 

Asset  4: 

Nurses, 

Health 

Heart 

Hospital 

Doctors 

records 

monitor 

People 

Information 

Technology 

Facilities 
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Service  or  Product 


Operational  Resilience  Starts  at  Asset  Level 
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Exercise  -  Step  3 


A.  What  is  the  strategic  importance  of  the  service? 

As  a  hospital,  providing  continuous  care  to  in-patients 

is  our  top  strategic  objective 

B.  Which  asset  could  be  disrupted  and  how? 

Health  records  could  be  lost  or  corrupted  due  to  record 

system  failure 

C.  What  would  be  the  impact  on  the  service  mission  if  the  asset  were  disrupted? 

Patients  might  not  receive  appropriate  or  timely  care 

D.  What  consequences,  if  any,  would  the  organization  experience?  Consider  a)  reputational  harm,  b) 
impacts  to  life,  safety,  and  health  of  employees  and  customers,  c)  legal  fines  or  penalties,  and  d) 
other  financial  losses. 

Potential  loss  of  life,  serious  reputational  and  financial 

harm 
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Cornerstones  of  Operational  Resilience 


^  Risk  Management 

•  Operational  Risk  Management 

^  Convergence 

^  Organizational  Construct  for  Resilience 
Activities 

■  Protection  and  Sustainment  Activities 

■  Lifecycle  View 

■  Institutionalization 
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Operational  Resilience  Starts  at  Asset  Level 
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Analogy  -  Protection  and  Sustainment 
Strategies 


Protection  Activities 

•  Translate  into  activities 
designed  to  keep  assets  from 
exposure  to  disruption 


•  Example:  “security”  activities, 
but  may  also  be  embedded  in 
IT  operations  activities 


Sustainability  Activities 

•  Translate  into  activities 
designed  to  keep  assets 
productive  during  adversity 

•  Example:  “business 
continuity”  activities 


«• 

ft 
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Service  or  Product 


Asset  Disruption 


Chief  Information  Security  Officer 


120 


Organizational  Context  for  Resiliency 
Activities 


(/) 

CD 

i 

O 

CD 

O 

"0 

o 

Q. 

C 

o 


Productive 
Activity  or 
Business 
Process 
A 


Productive 
Activity  or 
Business 
Process 
B 


Productive 
Activity  or 
Business 
Process 
C 


Productive 
Activity  or 
Business 
Process 
D 


People 

Information 

Technology 

Facility 

Supply 

Assets 

Assets 

Assets 

Assets 

Chain 

yv 


y  V 


Operational 

Resilience 

Management 

Systems 


Resiliency 

Resiliency 

Resiliency 

Resiliency 

Process 

Process 

Process 

Process 

I 

II 

III 

IV 

Organization 

Mission 


j 


Examples: 

•  Disaster  Recovery  Planning 

•  Business  Continuity  Planning 
•COOP 

•  Risk  Management 

•  Information  Security 

•  Crisis  Management 

•  Emergency  Management 

•  Pandemic  Planning 

•  Supply  Chain  Continuity 

•  Etc,  Etc,  Etc... 
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Organizational  Context  for  Resilience 
Activities 


(/) 

CD 

i 

O 

CD 

O 

"0 

o 

Q. 

C 

o 


Productive 
Activity  or 
Business 
Process 
A 


Productive 
Activity  or 
Business 
Process 
B 


Productive 
Activity  or 
Business 
Process 
C 


Productive 
Activity  or 
Business 
Process 
D 


People 

Information 

Technology 

Facility 

Supply 

Assets 

Assets 

Assets 

Assets 

Chain 

■^7 


-V-. 


Operational 

Resilience 

Management 

Systems 


Resilience 

Resilience 

Resilience 

Resilience 

Process 

Process 

Process 

Process 

I 

II 

III 

IV 

Organization 

Mission 


j 


This  is  where 
operational 
resilience 
management, 
protection,  and 
sustainment  begin. 
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Organizational  Context  for  Resiliency 
Activities 
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Step-By-Step  /  Checklist  /  Roadmap 


□  Identify  your  critical  products  and  services  (Why  do  you  exist?) 

□  What  dose  operational  stress  mean  to  you? 

□  Internal  environmental  scan  (What  has  changed  internally?) 

□  External  environmental  scan  (What  has  changed  externally?) 

□  Characterize  your  risk  environment. 

□  What  are  your  operational  risks?  Who  will  be  affected  if  there  are  realized? 

□  What  hurdles  do  you  face  to  effective  operational  resilience  management? 

□  What  operational  risk  management  activates  (silos)  exist?  Are  there 
opportunities  for  convergence  of  some  sort?  Where  would  you  start? 

□  Draw  the  resilience  context  diagram  for  your  organization. 


Resilience  Requirements  Drive  Strategies 


Resilience  requirement 

•  A  constraint  that  the  organization  places  on  the  productive  capability 
of  an  asset  to  operational  resilience  of  services  to  which  the  asset  is 
associated  with 


Are  the  foundation  for 

•  Protection  strategies  (security  controls,  etc.) 

•  Sustainment  strategies  (service  continuity  plans,  etc.) 


Must  reflect  organization’s  risk  tolerances  and  appetite 
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Levels  of  requirements 


Three  levels  of  resilience  requirements 

1.  Enterprise  -  reflect  enterprise-level  needs,  expectations,  and 
constraints 

—  Example:  HIPAA  privacy  regulations 

2.  Service  -  reflect  the  resilience  needs  of  a  service  in  pursuit  of  its 
mission 

3.  Asset  -  set  by  the  owners  of  the  assets  and  establish  the  asset’s 
protection  and  sustainment  needs 

Iteration  may  be  necessary  to  harmonize  across  levels 
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Types  of  requirements 


Confidentiality  -  Ensuring  that  only  authorized  people, 
processes,  or  devices  have  access  to  an  information  asset 


Integrity  -  Ensuring  that  an  asset  remains  in  the  condition 
intended  and  so  continues  to  be  useful  for  the  purposes 
intended 


Availability  -  Ensuring  that  an  asset  remains  accessible  to 
authorized  users  (people,  processes,  or  devices)  whenever  it 
is  needed 
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Applicability  of  requirements 


Not  all  resilience  requirement  types  apply  to  all  asset  types 
under  all  circumstances. 


Resilience 

Requirement 

Asset  Type 

People 

Information 

Technology 

Facilities 

Confidentiality 

— 

X 

— 

— 

Integrity 

* 

X 

X 

X 

X 

Availability 

X 

X 

X 

X 
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Exercise  -  Steps  4  &  5 


Select  an  asset  from  Step  2: 

Health  records 

Suggestion:  select  the  information  asset  identified  in  step  2. 


I 


ConfidentiaUty:  Ensuring  that  oniy  authorized peopie,  processes,  or  devices  have  access  to  an 
information  asset 

Confidentiality  requirements  for  the  asset: 

Health  records  may  only  be  accessed  by  the 
patient’s  doctor  and  authorized  staff. 

Example:  Patient  medical  records  may  only  be  viewed  by  the  patient's  doctor  and  medical  staff 
expressly  approved  by  the  patient's  doctor. 


Chief  Information  Security  Officer 


129 


Exercise  -  Steps  6  &  7 


I 


Integrity:  Ensuring  that  an  asset  remains  in  the  condition  intended  and  so  continues  to  be 
useful  for  the  purposes  intended 

Integrity  requirements  for  the  asset: 

Alterations  to  health  records  require  doctor’s 

approval. 

Example:  Patient  medical  records  may  be  altered  only  by  the  patient's  doctor.  Alterations  by  approved 
medical  staff  must  be  authorized  by  the  patient's  doctor. 


Availability:  Ensuring  that  an  asset  remains  accessible  to  authorized  users  (people,  processes, 
or  devices)  whenever  it  is  needed 

Availability  requirements  for  the  asset: 

Health  records  must  be  available  on  demand, 

24x7. 


Example:  Patient  medical  records  must  be  available  to  authorized  personnel  on  demand,  7  days  a 
week,  24  hours  a  day. 
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Operational  risk  and  resilience 


Operational  resilience 
requires  optimizing  these 
strategies  in  a  way  that 

•  Minimizes  operational 
risk  (to  the  associated 
services) 

•  Makes  resource  efficient 

•  Sustains  the  functionaiity 
of  the  asset. 

This  is  the  management 
challenge  of  operational 
resilience. 
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Exercise  -  Steps  8  &  9 


Use  this  part  of  the  exercise 
worksheet  to  develop 
protection  and  sustainment 
strategies  for  your  asset 
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Developing  a  resilience  strategy 


'  Software  Engineering  Institute 


('ariK'jjie  Mellon 


O  2011  Carnegie  Mellon  University 


Step-By-Step  /  Checklist  /  Roadmap 


□  Identify  your  critical  products  and  services  (Why  do  you  exist?) 

□  What  dose  operational  stress  mean  to  you? 

□  Internal  environmental  scan  (What  has  changed  internally?) 

□  External  environmental  scan  (What  has  changed  externally?) 

□  Characterize  your  risk  environment. 

□  What  are  your  operational  risks?  Who  will  be  affected  if  there  are  realized? 

□  What  hurdles  do  you  face  to  effective  operational  resilience  management? 

□  What  operational  risk  management  activates  (silos)  exist?  Are  there 
opportunities  for  convergence  of  some  sort? 

□  Draw  the  resilience  context  diagram  for  your  organization. 

□  What  are  your  resilience  requirement  categories? 

□  Repeat  the  exercise  for  your  organization. 


Cornerstones  of  Operational  Resilience 


^  Risk  Management 

•  Operational  Risk  Management 

^  Convergence 

^  Organizational  Construct  for  Resilience 
Activities 

^  Protection  and  Sustainment  Activities 

■  Lifecycle  View 

■  Institutionalization 
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Lifecycle  View 


Plan 


Design  /  Develop/  Acquire 


Deploy 


Operate 


Retire 


Resilience  Engineering 


Protection  and  Sustainment  Activities 


To  improve  and  sustain  an  entity’s  operational  resilience,  it  is 
not  sufficient  to  only  improve  protection  and  sustainment 
activities. 

resilience  should  not  be  an  afterthought  bolt-on 
resilience  should  be  engineered  and  built-in 


Resilience  Management  is  a  Total  Lifecycle  Concept 
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Cornerstones  of  Operational  Resilience 


✓ 

✓ 

✓ 

✓ 

✓ 


Risk  Management 
•  Operational  Risk  Management 

Convergence 

Organizational  Construct  for  Resilience 
Activities 

Protection  and  Sustainment  Activities 
Lifecycle  View 


■  Institutionalization 
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What  do  these  organizations  have  in 
common? 


Customer  Happiness 


Customer  Service 


Strong 


Culture 


Tradition 

Protection 


Chain  of  Command 
Unit  Cohesion 
Regulations 
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Institutionalizing  a  Culture  of  resilience 
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Institutionalizing  a  Culture  of  resilience 


institutionalize  verli  (custom)  (UK  l/slmlly  institutionalise}  UK^^)) 
US  0^5))  /  ,Ln  f .sti'tjui.j*n.0.laiz/  (g)  /  -'tui-/  [Tl 

to  make  something  become  part  of  a  particular  society,  system,  or 
organization 

l/Vhat  yvas  once  an  In  forma/  event  ftas  noyv  t?ecome  /nst/tut/ona/fzedr 


Organizations  must  provide  explicit 
guidance  for  institutionalizing  resilience 
activities  so  that  they  persist  over  time 


Ask  not  how  well  am  I  performing  today? 

Ask  do  I  have  what  it  takes  to  sustain  high  performance  beyond  today? 
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Chief  Information  Security  Officer 


Is  there  one  place  that  I  can  go  to  see 
what  are  all  the  right  things  that  an 
organization  should  do  in  order  to 
improve  and  manage  its  operational 
resilience  in  a  systematic,  practical, 
and  proven  manner? 


Maturity  Models 


Today’s  Operating  Environment 


Rapid  changes  in  technology 
and  its  application  in  a  wide 
range  of  industries. 


Introduction  of  many  new 
systems,  business  processes, 
markets,  risks,  and  enterprise 
approaches. 


Many  immature  products  and 
services  being  consumed  by 
enterprises  that  themselves 
are  in  a  state  of  change. 
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Challenges  at  Hand 


How  can  you  tell  if  you  are  doing  a  good  job  of  managing  these  changes? 


What  are  effective  ways  to  monitor  your  progress? 


How  do  you  manage  the  interactions  of  systems 
and  processes  that  are  continually  changing? 


How  do  poor  processes  impact 
interoperability,  safety,  reliability, 
efficiency,  and  effectiveness? 
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Maturity  Model  Defined 


An  organized  way  to  convey  a  path  of 
experience,  wisdom,  perfection,  or  acculturation. 

Depicts  an  evolutionary  progression  of  an 
attribute,  characteristic,  pattern,  or  practice. 


The  subject  of  a  maturity  model  can  be 
objects  or  things,  ways  of  doing 
something,  characteristics  of 
something,  practices, 
controls,  or  processes.  r 
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Maturity  Models  Provide... 

Means  for  assessing  and  benchmarking  performance 
Ability  to  assess  how  a  set  of  characteristics  have  evolved 
Expression  of  a  body  of  knowledge  of  best  practices 
Means  to  identify  gaps  and  develop  improvement  plans 
Roadmap  for  model-based  improvement 
Demonstrated  results  of  improvement  efforts 
Common  language  or  taxonomy 


Chief  Information  Security  Officer 


145 


Key  Components  of  a  Maturity  Model 


Levels 

•  The  measurement  scale 

•  The  transitional  states 

Domains 

•  Logical  groupings  of  like  attributes  into  areas  of  importance 
to  the  subject  matter  and  intent  of  the  model 

•  Logical  groupings  of  like  practices,  processes,  or  good 
things  to  do 

Attributes 

•  Core  content  of  the  model  arranged  by  domains  and  levels 

•  Typically  based  on  observed  practices,  standards,  or  expert 
knowledge 

Diagnostic 

Methods 

•  For  assessment,  measurement,  gap  identification, 
benchmarking 

Improvement 

Roadmaps 

•  To  guide  improvement  efforts  (Plan-Do-Check-Act; 
Observe-Orient-Decide-Act) 
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Progression  Model  Defined 


Levels  describe  higher  states 
of  achievement,  advancement, 
completeness,  or  evolution 


Levels  can  be  arbitrary  as 
agreed  upon  by  users, 
industry,  etc. 


Simple  progression  or  scaling  of  an 
characteristic,  pattern,  or  practice 


attribute. 


A  Maturity 
Progression  for  Toy 
Building  Bricks 
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Progression  Model  Example 


A  Maturity  Progression  for 
Authentication 

Three-factor  authentication 

Two-factor  authentication 

Addition  of  changing  every  60  days 

Use  of  strong  passwords 

Use  of  simple  passwords' 


A  Maturity 
Progression  for 
Human  Mobility 

Fly 

Sprint 

Run 

Jog 

Walk 

Crawl 
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Progression  Model  Example:  SGMM 


MMJMK 

FAffllEB(l|npS 


I  !h  mpuHnU  HiiMe  Ibiilsvl 
I  IflMItB  (feVPVieivnaetK  Af9  M 

r 

3  pfi 


764VI 

3^ 


I  i««Riin  M  hMe 


I 

Tl 

1^1 


rnm^ 


lilA  ^Njenna^njiMM  weipm 

. . . . .  -  ■  ■  ^  m  . . 


i/:d  t-naraciensiics:  i-eaiures  you 
would  expect  to  see  at  each  stage 
of  the  smart  grid  journey 


3M1«  £XlA,tlHtel  iMtHtHHf  i  III  ^ 
isBi  WKCRPPewiEtff  i  tfidm 


SMR 

Strategy, 

OS 

GO 

WAM 

TECH 

OUST 

VCI 

SE 

Management, 

Organization 

Grid 

Work  &  Asset 

Technology 

Customer 

Value  Chain 

Societal  & 

&  Regulatory 

&  Structure 

Operations 

Management 

Integration 

Environmental 
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Benefits  &  Limitations  of  Progression  Models 


Benefits 

♦  Provides  a 
transformative  roadmap 

♦  Simpie  to  understand 
and  adopt;  iow  adoption 
cost 

♦  Easy  to  recaiibrate  as 
technologies  and 
practices  advance 


Limitations 

♦  Leveis  are  arbitrariiy  defined 
and  may  be  meaningiess  for 
achieving  objectives 

♦  Achieving  higher  leveis 
does  not  necessariiy 
transiate  into  “maturity” 

♦  Often  confused  with  CMMs  - 
thus  users  inaccurateiy 
project  traits  of  CMMs  on 
progression  models 


Chief  Information  Security  Officer 


150 


Capability  Maturity  Models  (CMM) 


A  more  complex  instrument 
Characterizes 

—  the  maturity  of  processes 

—  the  degree  to  which  processes  are 
institutionaiized 


the  maturity  of  the  cuiture  of  the  organization 

the  extent  to  which  the  organization 
demonstrates  process  maturity 


CCRT  -RMMTt  WVttlON  I.I 


•  Levels  reflect  the  extent  to  which  a  particular 
set  of  practices  have  been  institutionalized 

—  Institutionalized  processes  are  more  likely  to  be 
retained  during  times  of  stress. 
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Capability  Maturity  Model  Levels 


Processes  are 
acculturated, 
defined, 
measured, 
and 
governed 


r 


Practices  are  \ 
performed  j 


1 - i 

1  Practices  are  \ 

—  Level  0  - 

j  incomplete  j 

•  Incomplete 

Higher  degrees  of 
institutionalization 
translate  to  more 
stable  processes  that 

•  are  repeatable 

•  produce  consistent 
results  over  time 

•  are  retained  during 
times  of  stress 
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Capability  Maturity  Model  Example 
CERT-RMM 


□  EHT  -RMNfJ- 1.1 


CERT’  Resilience 
Management  Model 

X  A  Ataiurit^' 
Model  for 

OpcTAinmni 
Rr?n(jeni:c 

Riclidrd  Ar  Caralli 
JuliA  H.  Allen 
W.  Wiiite 


Framework  for  managing  and 
improving  operational  resilience 


“...an  extensive  superset  of  the 
things  an  organization  couid  do 
to  be  more  resiiient.” 


http://www.cert.org/resilience/ 


-  CERT-RMM  adopter 


9 
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Benefits  and  Limitations  of  CMMs 


Benefits 

•  Provides  for 
measurement  of  core 
competencies 

•  Provides  for  rigorous 
measurement  of 
capability — the  ability  to 
retain  core  competencies 
under  times  of  stress 

•  Can  provide  a  path  to 
quantitative 
measurement 


Limitations 

•  Sometimes  difficult  to 
understand  and  apply; 
high  adoption  cost 

•  “Maturity”  may  not 
translate  into  actual  results 

•  Potential  false  sense  of 
achievement:  achieving 
high  maturity  in  security 
practices  may  not  mean 
the  organization  is 
“secure” 
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Compare:  Progression  vs  CMM 


^  Level  3 

•  Run 

H  Level  2 

•  Jog 

H  Level  1 

•  Walk 

—  Level  0 

•  Crawl 


I—  Level  3 


•  Defined 


I—  Level  2 


Managed 


I—  Level  1 


•  Performed 


I—  Level  0 


Incomplete 


Core  practices 


Progression  Model 


Capability  Model 


# 
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Hybrid  Models 

Combine  best  features  of  progression  and  capability  maturity 

models 

•  Allow  for  measurement  of  evolution  or  achievement  as  in 
progression  models 

•  Add  the  ability  to  measure  capability  or  institutionalization  with 
the  rigor  of  a  CMM 

Levels  reflect  both  achievement  and  capability 

Transitions  between  levels: 

•  Similar  to  a  capability  model 
(i.e.,  describe  capability  maturity) 

•  Architecturally  use  the  characteristics, 
indicators,  attributes,  or  patterns  of  a 
progression  model 
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Capability  or  “maturity”  levels 


Hybrid  Model 


Domains:  Specific  categories  of 
attributes,  characteristics,  patterns,  or 
practices  that  form  the  content  of  the 

model 


Domain  1  Domain  2 


Domain  4  Domain  n 


Level  4 

Defined 

Level  3 

Measured 

Level  2 

Managed 

Level  1 

Planned 

Level  0 

Incomplete 


Model  content:  Specific  attributes, 
characteristics,  patterns,  or  practices 
that  represent  progression  and 
capability 


Maturity  Levels:  Defined  sets  of 
characteristics  and  outcomes,  plus 
capability  considerations 
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Maturity  Indicator  Levels 


Hybrid  Model  Example:  ES-C2M2 


10  Model  Domains;  Logical  groupings  of  cybersecurity  practices 


Electricity  Subsector  Cybersecurity 
Capability  Maturity  Model  (ES-C2M2) 
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ELECTRICITY  SUBSECTOR 

CYBERSECURITY  CAPABILITY  MATURITY  MODEL  {ES-C2M2) 


VersiMi  1.0 
31  May  2012 


When  Does  It  Make  Sense  to  Use  Maturity 
Models? 

Requirement  for  a  structured  approach 

Demonstrated,  measurable  results  based  on  an  established 
body  of  knowledge 

A  defined  roadmap  from  a  current  state  to  a  desired  state 

An  ability  to  monitor  and  measure  progress,  particularly  in  the 
presence  of  change 

•  Response  to  a  strategic  improvement  or  new  product/new  market 
objective 
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When  Does  It  Make  Sense  to  Use  Maturity 
Models?  (cont.) 

Desire  to  answer  these  questions  in  a  repeatable,  predictable 
manner: 

•  How  do  I  compare  with  my  peers?  (ability  to  benchmark) 

•  How  can  I  determine  how  secure  I  am  and  if  I  am  secure  enough? 

•  How  do  I  measure  my  current  state?  Characterize  my  desired  state? 

•  What  concrete  actions  do  I  need  to  take  to  improve?  And  in  what 
order? 

•  How  do  I  measure  progress  toward  my  desired  state? 

•  How  do  I  adapt  to  change? 
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Overview  of 

CERT  Resilience  Management  Model 

(CERT-RMM) 


CERT’  Resilience 
Management  Model 


A  Maturity 
Model  for 
Managing 
Operational 
Resilience 

Richard  A.  Caralli 
Julia  H.  Allen 
David  W.  White 
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Background  &  History 


Chief  Information  Security  Officer 


CERT  Resilience  Management  Model 
(CERT-RMM) 


<  Framework  for  managing  and 
improving  operational  resilience 


http://www.cert.org/resilience/ 


“...an  extensive  super¬ 
set  of  the  things  an 
organization  couid  do  to 
be  more  resiiient.  ” 


CERT'  Resilience 
Management  Model 


A  Maturity 
Model  for 
Managing 
Operational 
Resilience 


Richard  A.  Caralli 
Julia  H.  Allen 


David  W.  White 


-  CERT-RMM  adopter 
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What  is  CERT-RMM? 


Guides  implementation  and  management  of  operational 
resilience  activities 

Enables  and  promotes  the  convergence  of 

•  COOP,  IT  Disaster  Recovery,  Business  Continuity 

•  Information  Security,  Cyber  security 

•  IT  Operations 

A  capability  model  for  managing  &  improving  operational 
resilience 

•  Defines  maturity  through  capability  levels 

•  Enables  assessment  and  measurement 


Chief  Information  Security  Officer 


164 


What  is  CERT-RMM?  (Cont.) 


Applicable  to  a  variety  of  organizations 

•  small  or  large 

•  simple  or  complex 

•  public  or  private 

Descriptive  rather  than  prescriptive 

•  Focuses  on  the  “what”  not  the  “how” 

Improves  confidence  in  how  an  organization  responds  in  times  of 
operational  stress 
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How  was  RMM  developed? 


Collaboration 
with  high 
maturity 
organizations 


DR  and  BC 
knowledge  of 
financial 
industry 


800+ 

practices  for 
security,  BC, 
DR,  &  IT  ops 


20+  years  of 
security  mgmt 
knowledge  at 
CERT 


Process 
improvement 
architecture  & 
experience 


Piloting  in 
private  and 
government 
organizations 


RMM  codifies  best  practices  for  Info.  Sec.,  IT  DR,  and  BC  from  world  leading 
organizations  and  numerous  standards  and  codes  of  practice. 
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What  drove  development  of  RMM? 

Increasingly  complex  operational  environments 

Siloed  nature  of  operational  risk  activities 

Lack  of  common  language  or  taxonomy 

Overreliance  on  technical  approaches 

Lack  of  means  to  measure  organizational  capability 

Inability  to  confidently  predict  outcomes,  behaviors,  and 
performance  under  times  of  stress 
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RMM  -  The  Model 


Guidelines  and  practices  for 

•  Converging  of  security,  business  continuity,  disaster  recovery,  and 
IT  ops 

•  Implementing,  managing,  and  sustaining  operational  resilience 
activities 

•  Managing  operational  risk  through  process 

•  Measuring  and  institutionalizing  the  Resilience  process 

Common  vernacular  and  basis  for  planning, 
communicating,  and  evaluating  improvements 

Focuses  on  “what”  not  “how” 

Organized  into  26  process  areas 


£2.£.nT  -13  hCFrCr  1.1 


CERT’  Resilience 
Management  Model 

A 

Mfinaging 
CpLnLCi['Hia:l 
Kc&jlience 

Richand  A.  Ciralli 
JuLift  H.  AUfsn 
Dai'Ed  W.  mi\K 
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RMM  Process  Areas 


Access  Management 

Asset  Definition  and  Management 

Communications 

Compliance 

Controls  Management 

Enterprise  Focus 

Environmental  Control 

External  Dependencies 

Financial  Resource  Management 

Human  Resource  Management 

Identity  Management 

Incident  Management  &  Control 

Knowledge  &  Information  Mgmt 
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Measurement  and  Analysis 

Monitoring 

Organizational  Process  Focus 

Organizational  Process  Definition 

Organizational  Training  &  Awareness 

People  Management 

Resilience  Requirements  Development 

Resilience  Requirements  Management 

Resilient  Technical  Solution  Engr. 

Risk  Management 

Service  Continuity 

Technology  Management 

Vulnerability  Analysis  &  Resolution 
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CERT  Resilience  Management  Model 
(CERT-RMM) 


<  Framework  for  managing  and 
improving  operational  resilience 

A  process  improvement  model 


http://www.cert.org/resilience/ 


“...an  extensive  super¬ 
set  of  the  things  an 
organization  couid  do  to 
be  more  resiiient.  ” 

— CERT-RMM  adopter 


CERT  -RMM,  VERSION  1.1 


CERT'  Resilience 
Management  Model 


M.  t 


A  Maturity 
Model  for 
Managing 
Operational 
Resilience 


Richard  A.  Caralli 
Julia  H.  Allen 


David  W.  White 
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Core  Principle  and  Focus  of  RMM 


System  or  Product  Perspective 

The  quality  of  a  system  or 
product  is  highly  influenced  by 
the  quality  of  the  process  used  to 
acquire,  develop,  and  maintain  it. 

^  Transforming  the  quality  of  the 

\  product  (output)  by  transforming 

- the  process  by  which  the  product 

is  developed  and  produced. 

Operational  Resilience  Perspective 

The  ability  of  the  organization  to 
sustain  operations  in  the  face  of 
operational  risk  is  highly 
influenced  by  the  quality  of  the 
process  used  to  ensure  assets 
remain  protected  and  sustained. 

Transforming  some  (emergent) 

K  quality  of  the  organization,  called 

\  operational  resilience,  by  focusing 

- on  the  processes  of  activities  that 

support  operational  resilience 
management  systems. 
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Foundational  Elements  of  CERT-RMM 


Operational  Resilience 

■  Operational  Risk  Management 


Convergence 

Organizational  Construct  for  Resilience  Activities 

Protection  &  Sustainment  Activities 

Institutionalization 

Institutionalization 
■  Capability  Dimension 

Lifecycle  View 

Code  of  Practice  Crosswalk 
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Organizational  Context  for  Resilience  Activities 
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RMM  Combines  Two  Approaches 


Operational  Resilience 
Management  System 


What  to  do 


Process 

Institutionalization  and 
Improvement 


Making  it  stick 


Comprehensive  non- 
prescriptive  guidance  on 
what  to  do  to  manage 
operationai  resiiience 


Proven  guidance  for 
institutionaiizing  processes 
so  that  they  persist  over 
time 


Process  Dinnension 


Capability  Dimension 
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Code  of  Practice  Crosswalk 


Links  RMM  practices  to  connnnon  used  codes  of  practice  and  standards 


Including: 

•  ANSI/ASISSPC.  1-2009 

•  BS25999 

•  COBIT  4.1 

•  COSO  ERM  Framework 

•  CMMI 

•  FFIEC  BCP  Handbook 

•  ISO  20000-2 

•  ISO/I  EC  24762 

•  ISO/I  EC  24762 

•  ISO/I  EC  27005 

•  ISO/IEC  31000 

•  NFPA1600 

•  PCI  DSS 

•  Etc... 


Software  Engineering  Irrstitute 


CERT®  Resilience  Management  Model 
(RMM)  vLl:  Code  of  Practice  Crosswalk 
Commercial  Version  1 . 1 

Keinn  G.  Pamoge 
usaR.  Youig 

October  2011 

TECHNICAL  NOTE 
CMU'Sei-2Q11-TN-012 

CERT*  Program 

LMmtod  diMaultn  suAed  10  ine  copyrgrl 

mg3:^yl■nlL*e< 


riiriiecirMHkin 
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RMM  Code  of  Practice  Crosswalk 


Extensive  Tabular  Crosswalk  between  RMM’s  26  Process  Areas  and  251 
Specific  Practices  and  Key  Industry  Standards 
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Organization  of  the  Model 
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Process  Area  Structure  &  Components 


Process  Area 
Icon  &  Tag 


Purpose 

Statement 


Introductory 

Notes 


Related  Process 
Areas 


Summary  ^o^ 
.Gpa!s_&  Pj€ 


What  to  do 


References 


Amplifications 


Notes 


Required 

Expected 

Informative 

Component 

Component 

Component 
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Describes  "what"  to  do  to 
achieve  the  capability 


Describes  the  characteristics  that  must  be 
present  to  institutionalize  the  processes 

_ 


-> 


Process  Area 
Icon  &  Tag 


Purpose 

Statement 


Introductory 

Notes 


Related  Process 
Areas 


Summary  of 
Goals  &  Practices 


Examples 


- \  \- 

\ 


Process  Area  (PA) 


•  Practices  support  goal 
achievement 

•  A  suggested  way  to 
meet  the  goal 


\  V- 

r 

— 


Specific  Goal 
(SG) 


I 

—I 
I  / 

J  A 


Generic  Goal 
(GG) 


Specific  Practice 
(SP) 


Generic  Practice 
(GP) 


J_  Typical  VV-^ 

Activities  that  ensure  the 
processes  associated  with  the  PA 
will  be  effective,  repeatable,  and 
lasing 
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Example:  Service  Continuity  Process  Area 


Access  Management 

Measurement  and  Analysis 

Asset  Definition  and  Management 

Monitoring 

Communications 

Organizational  Process  Focus 

Compliance 

Organizational  Process  Definition 

Controls  Management 

Organizational  Training  &  Awareness 

Enterprise  Focus 

People  Management 

Environmental  Control 

Resilience  Requirements  Development 

External  Dependencies 

Resilience  Requirements  Management 

Financial  Resource  Management 

Resilient  Technical  Solution  Engr. 

Human  Resource  Management 

Risk  Management 

Identity  Management 

Service  Continuity 

Incident  Management  &  Control 

Technology  Management 

Knowledge  &  Information  Mgmt 

Vulnerability  Analysis  &  Resolution 
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Example:  Service  Continuity  Process  Area 


SERVICE  CONTINUITY 


Turpose^ 


The  purpose  of  Service  Continuity  is  to  ensure  the  continuity  of  essential 
operations  of  services  and  related  assets  if  a  disruption  occurs  as  a  result  of  an 
incident,  disaster,  or  other  disruptive  event. 


C, _ Introductory  Notes 


The  continuity  of  an  organization’s  service  delivery  is  a  paramount  concern  in 
the  organization’s  operational  resilience  activities.  The  organization  can  invest 
considerable  time  and  resources  in  attempting  to  prevent  a  range  of  potential 
disruptive  events,  but  no  organization  can  mitigate  all  risk.  As  a  result,  the 
organization  must  be  prepared  to  deal  with  the  consequences  of  a  disruption  to 
its  operations  at  any  time.  Significant  disruption  can  resrdt  in  dire  circumstances 
for  the  organization,  even  bankruptcy  or  termination. 


Chief  Information  Security  Officer 


181 


Example:  Service  Continuity  Process  Area 


lummary  of  Specific  Goals  and  Practices. 


SCSGl  Prepare  for  Service  Continuity 

SC:SG1.SP1  Plan  for  Service  Continuity 

SC:SG1.SP2  Establish  Standards  and  Guidelines  for  Service  Continuity 
SC:SG2  Identify  and  Prioritize  High-Value  Services 

SC:SG2.SP1  Identify  the  Organization’s  High-Value  Services 
SC:SG2.SP2  Identify  Internal  and  External  Dependencies  and  Interdependencies 
SC:SG2.SP3  Identify  Vital  Organizational  Records  and  Databases 
SC:SG3  Develop  Service  Continuity  Plans 

SC:SG3.SP1  Identify  Plans  to  Be  Developed 

Develop  and  Document  Service  Continuity  Plans 
Assign  Staff  to  Service  Continuity  Plans 
Store  and  Secure  Service  Continuity  Plans 
Develop  Service  Continuity  Plan  Training 
SC:SGH  Validate  Service  Continuity  Plans 

SC:SGH.SP1  Validate  Plans  to  Requirements  and  Standards 
SC:SGH.SP2  Identify  and  Resolve  Plan  Conflicts 


SC:SG3.SP2 

SC:SG3.SP3 

SC:SG3.SPH 

SC:SG3.SP5 
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Example:  Service  Continuity  Process  Area 


SC:SG2.SPI  Identify  the  ORCANizATtoN's  High-Value  SfflV(Cfs 


The  hi^h'Oalue  services  of  the  organization  and  their  associated  assets  are  identified. 

The  identification  and  prioritization  of  the  organization’s  high-value  services  as  strategic 
planning  actividrs  are  addressed  in  the  Enterprise  Focus  process  area.  This  practice  is 
included  here  to  emphasize  the  importance  of  prioritizing  high-value  services  as  afounda- 

.  '  _ I _ _ ; _ J _ ; _ I _ ■  '  r- _ _ 1 _ I _ 1 _ . _ C _ ; _ _ I _ 

tioni  _ 


worh  products 


1.  Prioritized  list  of  high-value  organizational  services,  activities,  and  associated 
assets 

2.  Results  of  security  risk  assessment  and  business  impact  analyses 


Swbpracficcs 


1.  Identify  the  organization’s  high-value  services,  associated  assets,  and  activities. 

2.  Analyze  and  document  the  relative  value  of  providing  these  services  and  the 
resulting  impact  on  the  organization  if  these  services  are  interrupted. 

Consideration  of  the  consequences  of  the  loss  of  high-value  organizational  services 
is  t\qjically  performed  as  part  of  a  business  impact  analysis.  In  addition,  the  conse- 


di-vah 


ai 


tssci 


Chief  Information  Security  Officer 


183 


RMM  Process  Areas 


Access  Management 

Asset  Definition  and  Management 

Communications 

Compliance 

Controls  Management 

Enterprise  Focus 

Environmental  Control 

External  Dependencies 

Financial  Resource  Management 

Human  Resource  Management 

Identity  Management 

Incident  Management  &  Control 

Knowledge  &  Information  Mgmt 
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Measurement  and  Analysis 

Monitoring 

Organizational  Process  Focus 

Organizational  Process  Definition 

Organizational  Training  &  Awareness 

People  Management 

Resiliency  Requirements  Development 

Resiliency  Requirements  Management 

Resilient  Technical  Solution  Engr. 

Risk  Management 

Service  Continuity 

Technology  Management 

Vulnerability  Analysis  &  Resolution 
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Using  the  Model 
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CERT-RMM  can  be  used  as  a... 


•  starting  point  for  socializing  convergence  principles  across  security, 
business  continuity,  and  IT  operations  activities 

•  Reference  model  for  understanding  the  scope  of  managing 
operational  resilience 

•  Taxonomy 

•  Organizing  construct  for  codes  of  practice 

•  Process  improvement  model  to  catalyze  a  process  improvement 
effort 

•  Baseline  from  which  to  appraise  an  organization’s  capability 

•  Guide  for  improvement  in  areas  where  an  organization’s  capability 
does  not  equal  its  desired  state 

•  Source  of  ideas  and  guidance  for  solving  problems  in  the 
organization’s  operation 
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Using  CERT-RMM  for  Improvement 


Recognize 

Objective 

Evaluate  Determine 

Results  Scope 


Implement 

Changes 


Analyze 

Gaps 
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NOTE:  Guidance  for  Putting  it  into  Practice 

Two  sample  (very  different)  scenarios  for  putting  principles  of 
operational  resilience  into  practice: 

1 .  A  major  and  visible  disruptive  event  has  taken  place  and 
you  want  to  apply  concepts  from  his  module  to  deal  with  it. 

2.  The  there  is  a  desire  to  put  in  place  a  strategic  plan  to 
raise  the  bar. 


NOTE:  Both  are  “improvement”  activities. 
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Recognizing  Objectives 

Objectives  frame  and  provide  context 

Answer  the  question:  What  are  we  trying  to  accomplish  with 

the  improvement  effort? 

Typical  themes: 

•  Are  we  doing  all  that  we  should  to  manage  business  continuity  (or 
security,  IT  ops,  or  a  combination)? 

•  How  can  we  minimize  the  potential  disruption  from  <some  known 
risk  or  category  of  risk>7 

•  How  can  we  improve  the  efficiency,  effectiveness,  or  consistency  of 
our  operational  risk  management  activities  (security,  BC,  &  IT  ops)? 

•  Do  our  policies  and  guidelines  produce  the  risk  management 
activities  that  we  want  them  to?  How  can  we  improve  policy? 
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Determining  Scope 


Two  elements: 

•  Organizational  scope: 

•  On  which  part  of  the  organization  will  we  focus? 

•  Model  scope: 

•  Which  parts  of  the  CERT-RMM  will  we  use? 

—  Whole  process  areas  (1-6  typically) 

—  Parts  of  process  areas  (a  set  of  practices) 


Both  elements  should  align  with  objectives  and  sponsorship 

Model  scoping  can  be  easily  accomplished  by  walking  the 
model  outline  in  a  small  workshop  or  meeting 
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Organizational  Scope 


Where,  in  the  organization, 
process  improvement  will  be 
focused 

Must  consider 

•  Span  of  sponsorship 
developed  in  Initiating  phase 

•  Span  of  authority  of  the 
improvement  team 

•  Schedule  feasibility  for 
desired  improvements 

•  Start  small 


# 
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Model  Scope 


Determine 

Scope 


Determines  which  areas  of  the  model  will  be  selected  for 
process  improvement 

When  selecting,  consider  process  areas  that 

•  May  be  causing  “pain”  or  perceived  weakness 

•  Align  with  regulatory  or  industry  initiatives  and  objectives 

•  Align  with  organizational  objectives  or  initiatives 

•  Support  other  organizational  process  improvement  initiatives  such 
as  Six  Sigma  or  ITIL 

•  Explore  areas  in  which  the  organization  needs  to  develop 
competency 
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Identifying  Gaps 


liraRl 


Formality 

Complexity 

Methodology 

F( 

/ 

Drm 

/\ 

al 

\ 

Rig 

/ 

oro 

/\ 

us 

\ 

CERT-RMM  Capability  Appraisals  (CAM) 

•  Outputs  include  detailed  practice-level 
characterizations  and  written  findings  statements 

•  Different  degrees  of  rigor 

•  Adapted  from  CMMI  SCAMPI  methods 

Questionnaire-based  gap  anaiysis 

•  Examples:  CRR,  ES-C2M2 

Ini 

brn 

ial 

Ligh 

twe 

ight 

Gap  Analysis  Roundtable  or  Workshop 

•  Assemble  a  group  of  internal  experts 

•  Informally  evaluate  the  organization’s 
implementation  of  the  model  practices  in  a 
roundtable  or  workshop  setting 
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CERT-RMM  Appraisal  Comparison 


Identify  Gaps 


r 


Process 

Area 


^  ■ 
I 


Specific  I 

Generic 

Goals  I 

Goals 

r 


Specific 

Generic 

Practices 

Practices 

Appraisal  team: 
Depth  of  investigation: 
Resource  requirements: 


Class  A 

Capability  Level 
Ratings 

(0, 1,  2,  or  3) 

Goal  Ratings 
(Satisfied  or 
Not  Satisfied) 


Characterization  of 

implementation  on 

5-point  scale 
(Fully,  Largely,  Partially, 
Not,  Not  Yet  Implemented) 

Findings  statements 
(strengths  &  weaknesses) 


4  or  more 


Hiqh 


Class  B 


Class  C 


,  Characterization 
!  of  approach  on 
3-point  scale 

(High,  medium,  low) 


Characterization 
of  intent  on  3- 
point  scale 

(High,  medium,  low) 


]J 

\ 


Statements 

(strength/weakness) 


Statements 

(strength/weakness) 


1/ 


2  or  more 
Medium 
Medium 


1  or  more 
Low 
Low 
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Analyzing  Gaps 

To  make  sure  that  closing  gaps  makes  sense 
gaps  should  be  analyzed: 

•  Is  the  cost  for  closing  a  gap  worth  the  investment? 

•  Are  there  any  efficiencies  that  can  be  realized  by  making  the 
changes  to  close  one  or  more  gaps  (efficiencies  may  include 
streamlining  controls  or  compliance  activities)? 

•  Which  gaps  are  most  important  in  the  context  of  the  objective? 

•  Are  the  organizational  changes  necessary  to  close  the  gaps  within 
the  bounds  of  sponsorship? 

Output  is  a  set  of  prioritized  gaps  to  be  closed 
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Implementing  Changes 


Use  model  guidance 

•  Subpractices  and  other  informative  material  provide  implementation 
guidance 

•  Code  of  Practice  Crosswalk  highlights  connections  between  CERT- 
RMM  and  relevant  standards  and  codes  of  practice,  which  can  serve 
as  additional  implementation  guidance 

•  Generic  practices  in  the  model  provide  guidance  for  having  the 
changes  persist  in  the  organization 

Consider  measurements  that  could  be  implemented  with  the 
changes  to  help  monitor  results  and  inform  management 
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Evaluating  Results 


Did  we  achieve  the  objective? 


Did  the  changes  stick?  Can  we  be  sure  the  new  state  will 
persist? 


Are  additional  needs  or  objectives  now  apparent? 

When  should  we  make  another  improvement  cycle? 

If  measurements  were  implemented,  are  they  revealing 
desired  trends? 
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Step-By-Step  /  Checklist  /  Roadmap . 

□  Identify  your  critical  products  and  services  (Why  do  you  exist?) 

□  What  dose  operational  stress  mean  to  you? 

□  Internal  environmental  scan  (What  has  changed  internally?) 

□  External  environmental  scan  (What  has  changed  externally?) 

□  Characterize  your  risk  environment. 

□  What  are  your  operational  risks?  Who  will  be  affected  if  there  are  realized? 

□  What  hurdles  do  you  face  to  effective  operational  resilience  management? 

□  What  operational  risk  management  activates  (silos)  exist?  Are  there 
opportunities  for  convergence  of  some  sort? 

□  Draw  the  resilience  context  diagram  for  your  organization. 

□  What  are  your  resilience  requirement  categories? 

□  Repeat  the  exercise  for  your  organization. 

□  Select  an  process  improvement  cycle?  Do  you  already  use  one? 


CERT  Resilience  Management  Model 
(CERT-RMM) 


CERT'  Resilience 
Management  Model 


A  Maturity 
Model  for 
Managing 
Operational 
Resilience 


Richard  A.  Caralli 


Julia  H.  Allen 


David  W.  White 


http://www.cert.org/resllience/ 


Framework  for  managing  and 
improving  operational  resilience 


“...an  extensive  super¬ 
set  of  the  things  an 
organization  couid  do  to 
be  more  resiiient.  ” 

-  CERT-RMM  adopter 
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For  Managing  Disaster  Recovery,  COOP, 
Business  Continuity  Poiicies 


Access  Management 

Measurement  and  Analysis 

Asset  Definition  and  Management 

Monitoring 

Communications 

Organizational  Process  Focus 

Compliance 

Organizational  Process  Definition 

Controls  Management 

Organizational  Training  &  Awareness 

Enterprise  Focus 

People  Management 

Environmental  Control 

Resiliency  Requirements  Development 

External  Dependencies 

Resiliency  Requirements  Management 

Financial  Resource  Management 

Resilient  Technical  Solution  Engr. 

Human  Resource  Management 

Risk  Management 

Identity  Management 

Service  Continuity 

Incident  Management  &  Control 

Technology  Management 

Knowledge  &  Information  Mgmt 

Vulnerability  Analysis  &  Resolution 
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For  FISMA  Compliance 


Access  Management 

Asset  Definition  and  Management 

Communications 

Compliance 

Controls  Management 

Enterprise  Focus 

Environmental  Control 

External  Dependencies 

Financial  Resource  Management 

Human  Resource  Management 

Identity  Management 

Incident  Management  &  Control 

Knowledge  &  Information  Mgmt 
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Measurement  and  Analysis 
Monitoring 

Organizational  Process  Focus 
Organizational  Process  Definition 
Organizational  Training  &  Awareness 
People  Management 
Resiliency  Requirements  Development 
Resiliency  Requirements  Management 
Resilient  Technical  Solution  Engr. 

Risk  Management 
Service  Continuity 
Technology  Management 
Vulnerability  Analysis  &  Resolution 
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For  Managing  Cloud  Computing 


Access  Management 

Measurement  and  Analysis 

Asset  Definition  and  Management 

Monitoring 

Communications 

Organizational  Process  Focus 

Compliance 

Organizational  Process  Definition 

Controls  Management 

Organizational  Training  &  Awareness 

Enterprise  Focus 

People  Management 

Environmental  Control 

Resiliency  Requirements  Development 

External  Dependencies 

Resiliency  Requirements  Management 

Financial  Resource  Management 

Resilient  Technical  Solution  Engr. 

Human  Resource  Management 

Risk  Management 

Identity  Management 

Service  Continuity 

Incident  Management  &  Control 

Technology  Management 

Knowledge  &  Information  Mgmt 

Vulnerability  Analysis  &  Resolution 
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For  Managing  the  Insider  Threat  Challenge 


Access  Management 

Measurement  and  Analysis 

Asset  Definition  and  Management 

Monitoring 

Communications 

Organizational  Process  Focus 

Compliance 

Organizational  Process  Definition 

Controls  Management 

Organizational  Training  &  Awareness 

Enterprise  Focus 

People  Management 

Environmental  Control 

Resiliency  Requirements  Development 

External  Dependencies 

Resiliency  Requirements  Management 

Financial  Resource  Management 

Resilient  Technical  Solution  Engr. 

Human  Resource  Management 

Risk  Management 

Identity  Management 

Service  Continuity 

Incident  Management  &  Control 

Technology  Management 

Knowledge  &  Information  Mgmt 

Vulnerability  Analysis  &  Resolution 
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Step-By-Step  /  Checklist  /  Roadmap . 

□  Identify  your  critical  products  and  services  (Why  do  you  exist?) 

□  What  dose  operational  stress  mean  to  you? 

□  Internal  environmental  scan  (What  has  changed  internally?) 

□  External  environmental  scan  (What  has  changed  externally?) 

□  Characterize  your  risk  environment. 

□  What  are  your  operational  risks?  Who  will  be  affected  if  there  are  realized? 

□  What  hurdles  do  you  face  to  effective  operational  resilience  management? 

□  What  operational  risk  management  activates  (silos)  exist?  Are  there  opportunities  for 
convergence  of  some  sort? 

□  Draw  the  resilience  context  diagram  for  your  organization. 

□  What  are  your  resilience  requirement  categories? 

□  Repeat  the  exercise  for  your  organization. 

□  Select  an  process  improvement  cycle?  Do  you  already  use  one? 

□  Select  a  sample  problem  at  your  organization  and  do  a  model 
scoping  exercise. 


Summary  of  CERT-RMM 
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Distinguishing  Features  of  RMM 


Converges  key  operational  risk 
management  activities:  security,  BC/DR,  and 
IT  operations 

Guides  implementation  and  management 

of  operational  resilience  activities 


Descriptive  rather  than  prescriptive  - 
focuses  on  the  “what”  not  the  “how” 

Provides  an  organizing  convention  for 
effective  selection  and  deployment  of  codes 
of  practice  and  standards 

Guide  for  improvement  in  areas  where  an 
organization’s  capability  does  not  equal  Its 
desired  state 
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Distinguishing  Features  of  RMM  (Cont.) 

Improves  confidence  in  how  an 
organization  responds  in  times  of 
operational  stress 

Baseline  from  which  to  perform  an 
appraisal 

Enables  measurements  of  effectiveness  i 
Process  improvement  model 
Enables  institutionalization 
Not  a  proprietary  model 


Chief  Information  Security  Officer 


207 


Variety  of  Ways  to  Use  RMM 

Starting  point  for  socializing  important  harmonization  and  convergence  principles 
across  security,  business  continuity,  and  IT  operations  activities 


Reference  model  for  understanding  the  scope  of  managing  operational  Resilience 


Process  improvement  model  to  catalyze  a  process  improvement  effort 


Baseline  from  which  to  perform  an 
appraisal  of  an  organization’s 
capability 


Guide  for  improvement  in  areas 
where  an  organization’s  capability 
does  not  equal  its  desired  state 


Organizing  construct  for  codes  of 
practice 


Taxonomy 


Chief  Information  Security  Officer 


208 


Proven  Use  Cases 

&  Real  Life  Samples 

•  Success  stories 

•  How  are  organizations  utilizing  the  converged  approaches? 

•  Who  is  actually  utilizing  and  benefiting  from  CERT-RMM? 
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Who  is  using  CERT-RMM? 


Working  with  CERT _ 

Carnegie  Mellon  University 
Discover  Financial 
Highlands  Union  Bank 
Lockheed  Martin  Corporation 
Marshall  &  lisley  Corporation 
PNC  Corporation 

University  of  Pittsburgh  Medical  Center 

US  Dept  of  Energy 

US  Dept  of  Homeland  Security 

US  Dept  of  Health  &  Human  Services 

US  Environmental  Protection  Agency 

US  National  Security  Agency 

US  Postal  Inspection  Service 

USBank 

SunGard 

Etc. . . 


Independently 


CERT-RMM  v1.0:  more  than  3000 
downloads: 


Corporate 

45% 


Other 

Personal 
15% 

Government 

Education 
16% 


Organization  type  reported  on  download 

CERT-RMM  v1.1  (published  by 
Addison-Wesley)  in  second  printing 
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A  Sampling  of  CERT-RMM 

Applications  and  Derivatives 


CERT  Resilience 
Management  Model 


Model  for 
Managing 
Operational 
Rjcstik'iice 


Richard  A.  Caralli 
fuLia  H.  Alien 
David  W*  White 


Version  1.0 
31  May  2012 


Cyber  Resilience  Review  (CRR): 
Method  Description  and 
Self-Assessment  User  Guide 


l-  ehnuiry  20  H 


Homeland 


Security 
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US  Department  of  Homeland  Security 
Cyber  Resilience  Review  (CRR)  Program 


Homeland  Cyber  Resilience  Review 

Security 

o  X  D  a  s 


The  Cyber  Security  Evaluation  Program  (CSEP), 
within  the  Department  of  Homeland  Secmity's  (DHS) 
National  Cyber  Security  Division  (NCSD),  conducts  a 
no-cost,  voluntary  Cyber  Resihence  Review  (CRR.)  to 
evaluate  and  enh^ce  cyber  security  capacities  a^ 
capabihties  within  all  18  Cribcal  Infrasbructure  and 
Kty  Resources  (CIKR)  Sectors,  as  well  as  State,  Local 
Tribal  and  Territorial  (SLTT)  governments.  The  CRR 
seeks  to  understand  cyber  security  management  of 
services  (and  associate  assets)  critical  for  an 
organization's  mission  success  by  focusing  on 
protection  and  sustainment  practices  within  ten  key 
domains  that  contribute  to  the  overall  cyber 
resihence  of  an  organization. 

Overview 


The  CRR  focuses  on  the  follo^ving  ten  domains: 

1.  Asset  Management 

2.  Conhgiuation  and  Change  Management 

3.  Risk  Management 

4.  Controls  Management 

5.  Vulnerability  Management 

6.  Incident  Management 

7.  Sen-ice  Continuity  Management 

8.  External  Dependencies  Management 

9.  Training  and  Awareness 

10.  Sitiutional  Awareness 

The  CRR  addresses  die  following  four  asset  types: 

1.  People 

2.  Information 

3.  Technology 

4.  Faculties 


The  CRR  is  based  on  the  CERT  Resihence 
Management  Model  (CERT-RMM)  developed  by 
Carnegie  Mellon  University s  Software  Eirgineering 
Institute  [wvirwxertorg/re3Uience/rmm.html).  The 
goal  of  the  CRR  is  to  develop  an  imderstanding  of  an 
organization's  operational  resUience  and  ability  to 
manage  cyber  risk  to  its  critical  services  and  assets 
during  normal  operations  and  diuing  times  of 
operational  stress  and  crises. 

The  CRR  seeks  to  ehcit  the  current  state  of  cyber 
security  management  practices  from  key  cyber 
security  personnel — Chief  Information  Officers.  Chief 
Information  Security  Officers,  and  those  responsible 
for  management  of  IT  Security.  IT  Operations,  and 
Business  Continuity. 


What  to  Expect 

•  The  CRR  is  a  one-day,  on-site  fadhtation  and 
interview  of  key  cyber  security  persormel. 

•  The  participants  will  receive  a  draft  report  within 
45  c^endar  dasre  to  review  and  provide  feedback 
report  results.  DHS  wiU  subsequently  issue  a  final 
CRR  Report 

•  CRR  results  are  afforded  protections  under  the 
DHS  Protected  Critical  Infrastructure  Information 
(PCII)  Program  fwww.dhs.gov/PCII] —  the  results 
are  for  organization  use  and  DHS  does  not  share 
resiUts. 

Contact  Information  for  CRR-related  Inquiries 

Please  address  inquiries  regarding  the  CRR  to: 

CSE@>faq.dhs.gov  (Cyber  Security  Evaluations). 


The  CRR  results  in  a  report  that  summarizes 
observed  strengths  and  weaknesses  in  each  domain 
and  provides  options  for  consideration  containing 
general  guidance  or  activities  aimed  at  improving  the 
cyber  security  posture  and  preparedness  of  an 
organization. 


About  DHS  and  NCSD 

DHS  is  responsible  for  safeguarding  our  Nation's  critical 
infrastructure  from  physical  and  cyber  threats  that  can  aCFect 
national  security,  public  safety,  and  economic  prosperity. 
NCSD  leads  DHS's  efforts  to  secure  cyberspace  and  lyber 
infrastructure.  For  additional  infbrmatioa  please  visit 
wwYf.dhs,gaY/cytier, 
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What  is  CRR? 

The  Cyber  Resilience  Review  (CRR)  is  a  review  of  the  overall 
practice,  integration,  and  health  of  an  organization’s  cyber 
security  program. 


The  CRR  seeks  to  understand  cyber  security  management  of 
services  and  associated  assets  criticai  for  an 
organization’s  mission  success. 


Focusing  on  protection  and  sustainment  practices  within 
key  areas  that  typically  contribute  to  the  overall  cyber 
resilience  of  an  organization. 
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CRR  Goal 

Develop  an  accurate  and  efficient  method  to  characterize  an 
organization’s 

•  operational  resilience,  and 

•  ability  to  manage  cyber  risk  to  its  critical  services  and  its  related 
assets  during  normal  operations  and  during  times  of  stress  and 
crisis 


The  CRR  is  based  on  CERT-RMM. 


Developed  for  DHS 
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Target  organizations 

Critical  Infrastructure 
and  Key  Resources 
(CIKR)  providers 

State,  Local,  Tribal,  and 
Territorial  (SLTT) 
governments 


“  Systems  and  assets,  whether 
physical  or  virtual,  so  vital  to  the 
United  States  that  the  incapacity 
or  destruction  of  such  systems 
and  assets  would  have  a 
debilitating  impact  on  security, 
national  economic  security, 
national  public  health  or  safety,  or 
any  combination  of  those  matters 

39 
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CRR  Domains 


The  ten  domains  in  CRR 
represent  important  areas 
that  contribute  to  the  cyber 
resilience  of  an 
organization. 


The  domains  focus  on 
practices  an  organization 
should  have  in  place  to 

assure  the  protection  and 
sustainment  of  its  critical 
service. 
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AM 

Access  Managennent 

CTL 

Controls  Management 

CCM 

Configuration  and  Change  Management 

VM 

Vulnerability  Management 

IM 

Incident  Management 

SCM 

Service  Continuity  Management 

RM 

Risk  Management 

EXD 

External  Dependencies  Management 

TA 

Training  and  Awareness 

SA 

Situational  Awareness 
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CRR  Domain  Structure 


Domain 


Purpose  Statement 


Specific  Goals 


Practices  at  IVIILO 
Practices  at  Mill 


Common  Goals 


Practices  at  MIL  2 


Practices  at  MIL  3 
Practices  at  MIL  4 
Practices  at  MIL  S 
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Intent  and  overview 


One  or  more  progressions  of 
practices  that  are  unique  to  the 
domain 


Progression  of  practices  that 
des  cribe  /  n  s  ti  tu  thnalizotion 
activities-  same  in  each  domain 
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Process  Institutionalization  in  the  CRR 


Maturity  indictor  levels  (MIL)  are  used  in  CRR  v2  to  measure  process  institutionalization 


Processes  are ' 
acculturated,  i 
defined,  j 
measured,  i 
and ' 

I 

governed  i 


,  Practices  are ' 
I  performed  | 

L..  ...... 

........^ 

[  Practices  are ' 

I  incomplete  | 

L..  ...... 


Level  5-Defined 

Level  4-Measured 

Level  3-Managed 
Level  2-Planned 

Level  1 -Performed 

Level  0-lncomplete 


Higher 
institutio 
translate 
stable  p 


qegrees  of 
nalization 
to  more 
ocesses  that 


produ 

results 


•  are  re 
times 


:e  consistent 
over  time 


tained  during 
of  stress 
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US  Department  of  Energy 
Electricity  Subsector  Cybersecurity  Capability 

Maturity  Model  (ES-C2M2) 


ELECTRICITY  SUBSECTOR 

CYBERSECURITY  CAPABILITY  MATURITY  MODEL  (ES-C2M2) 


Version  1.0 

31  May  2012 
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White  House  sponsorship 


WHITE  HOUSE  PRESIDENT BJIRACK  OBAMA 


Get  Email  Updates 


Contact  Us 


g=  BLOG 


PHOTOS  &  VIOE  O 


BRlEFliaO  ROOM 


■v-"' 


the  ADMINISTRATION 


the  WHITE  HOUSE 


Bar  GOVERNMENT 


YOUR  FEDERAL  TAXPAYER  RECEIPT 

UNDERSTAND  HOW  AND  WHERE  YOUR  TAX  DOLLARS  ARE  BEING  SPENT 


CALCULATE  YOUR  RECEIPT 


The  White  House  Blog 


Protecting  the  Nation’s  Electric  Grid  from  Cyber  Threats 


Howard  A.  Schmidt 

January  09,  2012 
0:S:  5S  PM  EOT 

Share  This  Post 


^E-Mail 


S 


Protecting  the  electric  system  from  cyber  threats  and  ensuring  its  resilience  are  vital  to 
our  national  security  and  economic  well-being.  This  is  exactly  why  cybersecurity  is  one 

of  four  key  themes  in  the  White  House's  Policy  Framework  for  a  21^^  Century  Grid.  For 
obvious  reasons,  the  private  sector  shares  our  interest  in  a  safe  and  secure  electric  grid. 
The  Administration  has  benefited  from  working  closely  with  industry,  including  to  develop 
the  Roadmap  to  Achieve  Energy  Delivery  Systems  Cybersecurity,  released  by  the 
Department  of  Energy  last  September. 

To  continue  that  close  cooperation,  last  week  Deputy  Secretary  of  Energy  Dan  Poneman 
and  I,  along  with  senior  officials  from  Department  of  Homeland  Security,  hosted  industry 
leaders  to  discuss  a  new  initiative  to  further  protect  the  electric  grid  from  cyber  risks.  This 
initiative  — |the  Electric  Sector  Cybersecurity  Risk  Maturity  Model  Pilot  -  is  a  new  White  | 
House  initiative  led  by  the  Department  of  Energyjin  collaboration  with  the  Department  of 
Homeland  Security,  to  develop  a  model  to  help  us  identify  how  secure  the  electric  grid  is 
from  cyber  threats  and  test  that  model  with  participating  utilities.  Gaining  knowledge  about 
strengths  and  remaining  gaps  across  the  grid  will  better  inform  investment  planning  and 
research  and  development,  and  enhance  our  public-private  partnership  efforts. 


Subscribe  to  the  White  House  Blog 


WHITE  HO  USE. GOV  IN  YOUR  INBOX 

Sign  up  for  email  updates  from 
President  Obama  and  Senior 
Administration  Officials 


Four  Email  Add  r  ess 


PHOTOS  OF  THE  DAY 
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ES-C2M2  Overview 


Sponsor 

•  Department  of  Energy  (DOE) 

Target  user  organizations 

•  All  electric  utilities  and  grid  operators,  regardless  of  ownership 
structure,  size,  or  function 

Goal 

•  Develop  capabilities  to  manage  dynamic  threats  and  understand 
cybersecurity  posture  of  the  grid 

Objectives 

•  Strengthen  cybersecurity  capabilities 

•  Enable  consistent  evaluation  and  benchmarking  of  cybersecurity 
capabilities 

•  Share  knowledge  and  best  practices 

•  Enable  prioritized  actions  and  cybersecurity  investments 
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What  is  ES-C2M2? 


An  organized 
set  of 

cybersecurity 

practices 


A  seif- 
evaluation 
questionnaire 
and  scoring 
tool 


For  examining. 

_  benchmarking. 

and  improving 

cybersecurity 

program 

Developed  by  and  for  electric  utilities,  but 
proven  useful  for  other  types  of  organizations 
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WORKFORCE  ■  SITUATION  ■  RISK 


ES-C2M2  domains 


Risk 

Management 


Situational 

Awareness 


Workforce 

Management 


1 — 

LU 

(f) 

CO 

< 

Asset,  Change, 
and 

Configuration 

Management 

o 

Information 

E 

< 

Sharing  and 

X 

CO 

Communications 

(X 

LU 

Cybersecurity 

GO 

Program 

o 

Management 
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Identity  and 
o  Access 

<  Management 

^  Threat  and 

^  Vulnerability 

K  Management 

yj  Event  and 

^  Incident 

2  Response, 

LU  Continuity  of 
^  Operations 

CO 

LU 

o  Supply  Chain 
m  and  External 
g  Dependencies 
g  Management 

Q 

*  Domains  are  logical  groupings  of 
cybersecurity  practices 

*  Each  domain  has  a  short  name  for  easy 
reference 
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ES-C2M2  Maturity  Indicator  Levels 


Level  Name  Description 


MILO 

Not 

Performed 

•  MILl  has  not  been  achieved  in  the  domain 

MILl 

Initiated 

•  Initial  practices  are  performed,  but  may  be  ad  hoc 

MIL2 

Performed 

•  Practices  are  documented 

•  Stakeholders  are  involved 

•  Adequate  resources  are  provided  for  the  practices 

•  Standards  or  guidelines  are  used  to  guide  practice 
implementation 

•  Practices  are  more  complete  or  advanced  than  at  MILl 

MILS 

Managed 

•  Domain  activities  are  guided  by  policy  (or  other  directives) 

•  Activities  are  periodically  reviewed  for  conformance  to  policy 

•  Responsibility  and  authority  for  practices  are  clearly  assigned 
to  personnel  with  adequate  skills  and  knowledge 

•  Practices  are  more  complete  or  advanced  than  at  MIL2 
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Maturity  Indicator  Levels 


ES-C2M2  Structure 


X  Reserved 

3  Managed 


2  Performed 


1  Initiated 
0  Not  Performed 


j_ I_ I_ I_ I_ I_ I_ L 


^  1  Maturity  Indicator  Level  that  is  reserved  for  future  use 


^  4  Maturity  Indicator  Levels:  Defined  progressions  of  practices 


Each  cell  contains  the  defining  practices  for  the 
domain  at  that  maturity  indicator  level. 


H 

H 

H 

TVM 

vs 

ISC 

EXD 

10  Model  Domains:  Logical  groupings  of  cybersecurity  practices 
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CPM 


Domain  Structure 


Practices  at  Mill 


Practices  at  MIL2 


Practices  at  MILS 


Common  Objective 
^  Practices  at  Ml L2 


Practices  at  MILS 
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Use  of  CERT-RMM  by 
US  Postal  Inspection  Service  (USPIS) 
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U.S.  Postal  Inspection  Service  (USPIS) 

The  law  enforcement  arm  of  the  United  States  Postal  Service 

The  oldest  origins  of  any  federal  law  enforcement  agency  in 
the  United  States  dating  back  to  1772 

Mission  of  the  USPIS 

•  Support  and  protect  the  U.S.  Postal  Service  and  its 
employees,  infrastructure,  and  customers 

•  Enforce  the  laws  that  defend  the  nation’s  mail  system  from 
illegal  or  dangerous  use 

•  Ensure  public  trust  in  the  mail 
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Use  of  CERT-RMM  at  USPIS 


The  USPIS  has  used  CERT-RMM  and  its  appraisal 
method  to  address 

•  export  screening 

•  new  product  security 

•  measuring  and  monitoring  risks  associated  with  fraud 

•  physical  security  and  aviation  screening  for  international 
mail 

•  improved  processes  for  investigative  response  to 
network  security  incidents 

•  development  of  mail-specific  process  areas  for  mail 
acceptance  and  revenue  assurance 
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Lockheed  Martin  Corporation 
Corporate  Business  Resiiience  Strategic  Initiative 


HOME  OUR  WORK  OUR  SOLUTIONS  PRODUCTS  &  SERVICES  LIBRARY  NEW: 


Library 

Seminai  mrks  and  reference  materia!  created  by  SEI  ^aff. 

m 

% 

Search  the  Library  Browse  by  Topic  Browse  by  Type 

Application  of  the  CERT®  Resilience  Management 
Model  at  Lockheed  Martin 


Lockheed  Martm  Corporation  has  collaborated  m\h.  the 
Sofhvare  Engineeriiig  Institute  oa  the  application  of  the 
CERT  Resilience  Management  Model  (CERT-RhlM)  to 
impro^^  Lockheed  Martin's  corporate-\vide  business 
continuity,  FT  disaster  recovery,  crisis  management,  and 
pandemic  planning  activities.  TvvQ  CERT-RhIM  Class  C 
appraisals  have  been  conducted  as  part  of  the  collaboration. 
This  presentation  ^ill  provide  an  overview  of  the  project 
information  about  the  appraisals,  and  a  summaiv^  of  the  use 
of  the  appraisal  results. 


LOCKHEED  MAHTiH 
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Uses  of  RMM  at  Lockheed  Martin 


To  assess  current  level  of  competencies 

•  Where  are  we  now?  How  good  are  we  now? 

•  A  consistent  and  common  “ruler” 

•  Assessment  by:  self,  internal  3rd  party,  external  3rd  party 

To  guide  future  direction  and  investments 

•  Where  do  we  want  to  be?  How  well  do  we  want  to  get? 

•  Setting  objectives 

•  Determining  the  investments  required  to  reach  the  next/desired  level 

To  measure  progress  towards  the  desired  goal 

Once  the  desired  level  is  reached,  to  ensure  that  the  plans  and 
processes  continue  to  evolve  with  the  needs  of  the  organization 

•  How  do  we  stay  there? 
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Uses  of  RMM  at  Lockheed  Martin 


Common  business  Resilience  taxonomy  and  nomenclature 

A  reference  model  for  our  integrated  business  Resilience 
framework 

To  gauge  the  preparedness  posture  of  individual  business 
entities  and/or  the  Enterprise  as  a  whole  in  the  areas  of 
disaster  recovery  and  business  continuity 

A  mechanism  to  reveal  insights  about  existing  policies  and 
guidelines 

A  guiding  tool  in  the  developing  of  new  command  media 

A  means  to  communicate  key  harmonization  and  convergence 
across  business  Resilience  and  information  security 
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Challenges 


Resilience  Measurement 


How  do  you  measure  an  emergent  property? 
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How  have  we  been  measuring  health? 


Ha?? 


.r-TJjATlTCE^ 


Jriy-^t'KC-  X_ 


tJ/  v.^  ^  ^ 


[gr 


Sn!E» 

Jfe  p* 


Chief  Information  Security  Officer 


235 


How  have  we  been  measuring  health? 
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Should  we  keep  “fighting”  the  risk  landscape? 


•  Pervasive  use  of  technology 
•  Intertwining  of  cyber  and  physical  domains 

Increased  role  of  cybersecurity  in  securing  physical  assets 
•  Movement  toward  intangible  assets 

•  Global  economic  pressures 
•  Regulatory  and  legal  boundaries 

Geo-political  pressures 
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Re-Shaping  (not  fighting)  the  Risk  Landscape? 


HOMERAtGE  TODAY’S  FWtPER  VIDEO  MOST  POPULAR  U.S.  Edition 


eJljf  i]ork  Eimcs 


N.Y.  /  Region 


WORLD  U.S.  N.Y.  /  REGION  EUBIKESS  TECHNOLOGY  SCIENCE  HEALTH  SPORTS  OPINION 

X^uomo  Seeking  Home  Buyouts  in  Flood  Zones 

By  THOMAS  KAPI^.N 

Published:  Febfuaiy  3.  2013  |  ^  31 5  Comments 


ALBANY  —  Gov,  Andrew  M.  Cuomo  is  proposing  to  spend  as  much  as 
S400  million  to  purchase  homes  %\Teched  hy  Hurricane  Sandy,  have 
them  demolished  and  then  presen."e  the  flood-prone  land 
permanently,  as  mideveloped  coastline. 


Multimedia 


Q  FACEB- 
^  TWITTER 

SB  G00GLE+ 

Q  SAVE 
E  E-MAIL 
rn  S^ARE 


The  purchase  program,  which  still 
requires  appro\'al  from  federal 

officials,  TTOuld  he  among  —  - — 

ainhitious  ever  undertake  T^Satid  \TOuld  never  he  built  on  againTSphie  properties 

could  he  turned,  into  dunes,  wetlands  or  other  natural 
buffers  that  \TOuld  help  protect  coastal  communities  from 
ferocious  storms;  other  parcels  could  be  combined  and 
turned  into  public  parkland. 
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other  Related  Considerations 


Next  generation  of  integrated 
cyber-resiiience  management 
frameworks? 


MODELS 


Resilience  Engineering  - 
A  new  engineering 
discipline? 


EDUCATION 


RISK  MGMT 


Re-shaping  (not 
fighting  with)  the 
risk  landscape? 


Should  organizations  be  legally 
allowed  to  fight  back  when 
under  cyber  attack?  _ 


POLICY 


Mechanisms  to  compose 
resilient  systems  from 
brittle  components? 


TECHNOLOGY 
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Summary 


-tVi \y\  g  Com  ic.  c  om 


Make  a  long-term  commitment 

(Emergent  properties  don't  emerge  overnight) 
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Make  a  long-term  commitment 

(It  is  not  a  sprint;  it  is  a  marathon) 
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Understand  the  big  picture 

(Organizations  must  address  operationai  risk 
on  a  number  of  dimensions) 
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Prevention  is  futiie 
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Cybersecurity  is  a  risk  management  issue 

(Not  a  technology  issue) 
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Cybersecurity  is  a  discussion  topic  for  the  Board 

(Not  for  the  data  center) 
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Compliance  t  Security  or  Resilience 
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Timeline  of  the  Target  Data  Breach 


Svtnantec  »rtw4ri?  kjentlfle^ 
[HjllclQU^KtivltV 

] 


&0j  Tjrvfet 


Fini  FlreE^ 

More  FireEve 

alerts  iri^  red 

aiemorij^red 

Target  Timeline 


puUkfv^'^nouificuiD 
mllllan^Kdifi  JMf  debit  ard 
rerardf  sulen  efter  story 
ivdheiitMi  12/IB 


Tarset  coni'flnns  tKcach 
removes  rwt  m-alwire 


Tatfeneorvfirnis  a 
AirthcrTOinllllon 
data  records  stofen 


(W12) 


(12/19)  (i/icyi4) 


{mow 


(1V30] 


{13/2] 


[13/15) 


Source:  https://www.idradar.com/news-stories/identiy-protection/Target-Dropped-The-Ball-On-Breach-Detection-Report-Says 
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Continually  balance 
protection  and  sustainment  activities 
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Integrate  and  coordinate  all 
operational  risk  management  activities 
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Integrate  and  coordinate  all 
operational  risk  management  activities 


Business 

Continuity 


Disaster 

Recovery 


Workforce 

Continuity 


Crisis  \ 
:ommunication: 


Supply 

Chain 

^Continuity 


Crisis 

Management 


IT  A  Information 
Operations/  \  Security 


Operational 

Resilience 


Risk 
Management 


Emergency 

Management 


Chief  Information  Security  Officer 


251 


Invest  in  people  and  process 

(Not  only  in  technology) 
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Overcome  organizational  hurdles 
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Create  a  culture  of  resilience 


institutionalize  vert  (custom)  (UK  usually  institutionalise)  UK^>)) 
US  H)j))  /  ,in  f .stL'tjui.pn.0.laiz/  ^  /  -'tui-/  ["□ 

to  make  something  become  part  of  a  particular  society,  system,  or 
organization 

What  was  once  an  in 
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Establish  governance  (strategy,  plan, 
sponsorship,  performance)  for 
operational  resilience. 
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“The  oak  fought  the  wind  and  was  broken, 
the  willow  bent  when  it  must  and  survived.” 

Robert  Jordan,  The  Fires  of  Heaven 


Thank  you  for  your  attention... 
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Step-By-Step  /  Checklist  /  Roadmap 


□  Identify  your  critical  products  and  services  (Why  do  you  exist?) 

□  What  dose  operational  stress  mean  to  you? 

□  Internal  environmental  scan  (What  has  changed  internally?) 

□  External  environmental  scan  (What  has  changed  externally?) 

□  Characterize  your  risk  environment. 

□  What  are  your  operational  risks?  Who  will  be  affected  if  there  are  realized? 

□  What  hurdles  do  you  face  to  effective  operational  resilience  management? 

□  What  operational  risk  management  activates  (silos)  exist?  Are  there  opportunities  for 
convergence  of  some  sort? 

□  Draw  the  resilience  context  diagram  for  your  organization. 

□  What  are  your  resilience  requirement  categories? 

□  Repeat  the  exercise  for  your  organization. 

□  Select  an  process  improvement  cycle?  Do  you  already  use  one? 

□  Select  a  sample  problem  at  your  organization  and  do  a  model  scoping  exercise. 
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Guidance  for  Putting  it  into  Practice 

Two  sample  (very  different)  scenarios  for  putting  principles  of 

operational  resilience  into  practice: 

1 .  After  a  major  and  visible  disruptive  event  has  taken  place 
and  you  want  to  apply  concepts  from  his  module  to  deal 
with  it. 

2.  The  there  is  a  (business)  desire  to  put  in  place  a  strategic 
plan  and  program  to  raise  the  bar. 
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Example  1a:  After  a  Major  Incident 


Environmental  Scan  /  Fact  Finding 


rv 


Analysis  of  the  Incident 


Selection  &  Design  of  an  Enterprise-Wide 
Strategic  Approach 


Development  of  an  Execution  Plan 


Implementation  &  Execution  of  the  Plan 


/V 
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Example  1b:  After  a  Major  Incident 


Environmental  Scan  /  Fact  Finding 

—  The  Company 
—  The  Incident 


Analysis  of  the  Incident 

—  Business  Impact 
—  Root  Causes 
—  Risk  Assessment 


Selection  &  Design  of  an  Approach 

—  Operational  Resilience  Management  Approach 
—  Gap  Analysis  &  Characterization  of  Current  State 
—  Establishing  Target  State 
—  How  to  get  there? 

Development  of  an  Execution  Plan 


Recognize 

Objective 


Evaluate 

Results 


Determine 

Scope 


—  Short-Term  /  Long-Term  Corrective  Actions 
-  Phase  I,  II,  III,  ... 

Implementation  &  Execution  of  the  Plan 

—  Execution  and  Program  Approach 
—  Roles  and  Responsibilities 
—  Timeline 


Implement 

Changes 


Analyze 

Gaps 
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Example  2a:  Strategic  Plan  to  Raise  the  Bar 
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Example  2b:  Strategic  Plan  to  Raise  the  Bar 


•  Explore  the  concept  of  Operational  Resilience 

•  Socialize  with  a  portion  of  leadership  team 

•  Have  a  small  team  lean  more  about  it 

•  Learn  more  about  how  others  have  used  it  /  benefited  from  it 


•  Determine  what  "Operational  Risk"  means  to  this  enterprise? 

•  Internal  Environmental  Scan  (functionally  &  geographically) 

•  Characterize  risks  /  issues  /  concerns  /  opportunities 

•  Confirm  the  business  need  and  the  desire  to  raise  the  bar 


Explore  &  Lean 


Ti' 


Tailor  & 
ID  Gaps 


*  Controlled  Implementation 

*  Monitoring  Indicators 

*  Influencing  Outcomes 


Plan 


Execute  Plan 


O&M 

/\ 


7"  V 


Identify  executive  sponsor  /  champion 
Form  "Business  Resilience"  Executive  Steering  Committee 
Develop  a  Strategic  Plan  (Whot  to  do?  How  to  do  them?  Who  to  do 
them?  Resources?  Timeframe?  How  to  measure?) 


O&M 

Continual  Feeding-and-Caring 
Regular  Assessment 


